CVE-2021-44228 flaw in Apache Log4j versions 2.0.0 and before 2.15.0

Latest response

CVE-2021-44228 Log4j

See security bulletin for updates on log4j issue and recommendations to manage the risk. Additional resource: FAQ

Please see the below relevant official Red Hat links below for specifics relating to this matter. The Red Hat links below provide appropriate actions to take.:


  • A flaw was found in the Apache Log4j logging library in versions from 2.0.0 and before 2.15.0. A remote attacker who can control log messages or log message parameters, can execute arbitrary code on the server via JNDI LDAP endpoint.

Vulnerability Response


This issue only affects log4j versions between 2.0 and 2.14.1. In order to exploit this flaw you need:

  • A remotely accessible endpoint with any protocol (HTTP, TCP, etc) that allows an attacker to send arbitrary data,
  • A log statement in the endpoint that logs the attacker controlled data.

Not Affected Products:

The following products are NOT affected by this flaw and have been explicitly listed here for the benefit of Red Hat customers.

  • RHEL 6, RHEL 7, RHEL 8
  • Red Hat Cost Management
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Ansible Automation Platform (Engine and Tower)
  • Red Hat Certificate System
  • Red Hat Directory Server
  • Red Hat Identity Management
  • Red Hat CloudForms
  • Red Hat Update Infrastructure
  • Red Hat Satellite

Affected products:

The following Red Hat product versions are directly affected:

  • Red Hat JBoss (various, please see this link)
  • Red Hat CodeReady Studio 12
  • Red Hat OpenStack Platform 13
  • Red Hat Integration Camel K
  • Red Hat Integration Camel Quarkus
  • Red Hat OpenShift Application Runtimes Vert.X 4
  • Red Hat Fuse 7
  • Red Hat OpenShift 4
  • Red Hat OpenShift 3.11
  • Red Hat OpenShift Logging
  • Red Hat Data Grid 8
  • Red Hat AMQ Streaming


Please refer to specific mitigation steps at this Red Hat link:

OpenShift 4/OpenShift Logging

Affected and Unaffected Products and Packages

Please see this Red Hat link for the entire list of affected/unaffected products/packages.

Red Hat Security Bulletin

RHSB-2021-009 Log4shell Remote Code Execution

External References



Please see official links from Red Hat above for specific packages, products and mitigations.


Thank you very much for this extremely useful summary, RJ ... everything one has to know in one place - great ! :)


Hi RJ,

A great summary.

All above applies to the log4j components that Red Hat distributes.

Always check with the application vendors what versions of log4j components they included in the software


Jan Gerrit