The Apache Log4j Security Team has rated the importance of each security flaw considering its impact on Log4j. Experts have consented this rating as the most convenient to assess each user’s exposure to vulnerability.
Regarding the used Java version, the 7th or the 8th, Security Managers are simply called to upgrade the Log4j version in order to implement the fixed vulnerabilities. It is important to specify that basically medical institutions have claimed these vulnerabilities and they were, like all those using Apache Log4j 1.x, to upgrade automatically to the next feature Log4j 2.x, which contains security fixes.
In order to make the operation easier for security system administrators, Apache has provided users with a guide line that facilitates building or configuring Log4j to mitigate the known vulnerabilities listed on Apache website.
Apache also explicited the mitigation techniques to implement for the last Java version by migrating to the 2.17.0 recently released or by mitigating based on the configuration suggested by Apache on their web site.
The vulnerabilities fixed vary from critical to moderate impact but still controlled by simple upgrade of the Log4j:
CVE-2021-45105
CVE-2021-45046
CVE-2021-44228
CVE-2020-9488
CVE-2017-5645
