This version patches the vulnerability mentioned below. Unlike the Log4j vulnerabilities fixed in 5.0.0, 5.0.2 and 5.0.3 upgrades which had severities of high or critical, this vulnerability has been assigned a severity of moderate severity. We still suggest that you upgrade at your earliest convenience.
Important: Security Vulnerability CVE-2021-44832
Summary: Apache Log4j2 vulnerable to RCE via JDBC Appender when attacker controls configuration.
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.