History of Log4j in Timeline

Apache Log4j, a Java-based logging utility created by Ceki Gülcü, is part of the Apache Logging Services project under the Apache Software Foundation. It's one of several Java logging frameworks. Log4j is widely used in Java applications for recording various events and information during program execution. It's known for its flexibility and configurability, allowing developers to control the output format and destination of log messages. Security vulnerabilities discovered in Log4j have highlighted the critical role of regular updates and patching for maintaining the integrity of applications.

2013: Log4j 1.2.17 Release

In 2013, Log4j 1.2.17 was released.

July 2015: Log4j 2 General Availability Release

Log4j 2 was officially released in July 2015, marking its general availability. This version was a complete rewrite, drawing inspiration from Log4j 1 and java.util.logging.

August 5, 2015: Log4j 1 End-of-Life Announcement

On August 5, 2015, the Apache Logging Services Project Management Committee declared Log4j 1 end-of-life and recommended users upgrade to Log4j 2.

November 24, 2021: Log4Shell Vulnerability Discovery

The Log4Shell vulnerability in Log4j 2 was discovered and reported to Apache by Alibaba on November 24, 2021.

December 6, 2021: Log4j 2.15.0-rc1 Release

On December 6, 2021, Log4j version 2.15.0-rc1 was released. This version removed the configuration setting that caused the Log4Shell vulnerability and introduced new settings to mitigate it.

December 9, 2021: Log4Shell Vulnerability Disclosure

On December 9, 2021, the Log4Shell vulnerability, a zero-day exploit involving arbitrary code execution in Log4j 2, was publicly disclosed by the Alibaba Cloud Security Team. It was considered a highly critical vulnerability.

January 12, 2022: Reload4j Release

On January 12, 2022, a forked and renamed version of Log4j 1.2, called Reload4j 1.2.18.0, was released by Ceki Gülcü to address urgent issues accumulated since the 2013 release of Log4j 1.2.17.