Apache Log4j 2 is the successor of Log4j 1 which was released as GA version in July 2014. The framework was rewritten from scratch and has been inspired by existing logging solutions, including Log4j 1 and java.util.logging. The main differences from Log4j 1 are:
The Apache Log4j team developed Log4j 2 in response to the problems of Log4j 1.2, 1.3, java.util.logging and Logback, addressing issues which appeared in those frameworks. In addition, Log4j 2 offered a plugin architecture which makes it more extensible than its predecessor. Log4j 2 is not backwards compatible with 1.x versions, although an "adapter" is available. On August 5, 2015, the Apache Logging Services Project Management Committee announced that Log4j 1 had reached end of life and that users of Log4j 1 were advised to upgrade to Apache Log4j 2. On January 12th 2022, reload4j version 126.96.36.199 was announced with the aim of fixing the most urgent issues in log4j 1.2.17 and an easy migration path.
A zero-day vulnerability involving remote code execution in Log4j 2, given the descriptor "Log4Shell" (CVE-2021-44228), was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. Affected services include Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and Twitter. The Apache Software Foundation assigned the maximum CVSS severity rating of 10 to Log4Shell, as millions of servers could be potentially vulnerable to the exploit. The vulnerability was characterized by cybersecurity firm Tenable as "the single biggest, most critical vulnerability of the last decade" and Lunasec's Free Wortley characterized it as "a design failure of catastrophic proportions".
The feature causing the vulnerability could be disabled with a configuration setting, which had been removed in Log4j version 2.15.0-rc1 (officially released on December 6, 2021, three days before the vulnerability was published), and replaced by various settings restricting remote lookups, thereby mitigating the vulnerability. For additional security, all features using JNDI, on which this vulnerability was based, will be disabled by default, and support for message lookups removed from version 2.16.0 onward.
On December 9, 2021, a zero-day vulnerability involving arbitrary code execution in Log4j 2 was published by the Alibaba Cloud Security Team and given the descriptor "Log4Shell". It has been characterized by Tenable as "the single biggest, most critical vulnerability of the last decade".