Security Policy

Supported Versions

Only the most recent release of Apache Log4j 2 is supported.

Reporting a Vulnerability

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, please report them privately to the Log4j Security Team.

Past Vulnerabilities

See Apache Log4j Security Vulnerabilities.