Skip to content

Instantly share code, notes, and snippets.

Last active December 29, 2021 09:41
  • Star 15 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Emerging threat details on CVE-2021-44228 in Apache Log4j

Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.

Technologies using Apache Log4j

The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.

  • Apache Druid
  • Apache Dubbo
  • Apache Flink
  • Apache Flume
  • Apache Hadoop
  • Apache Kafka
  • Apache Solr
  • Apache Spark
  • Apache Struts
  • Apache Tapestry
  • Apache Wicket
  • Elastic Elasticsearch
  • Elastic Logstash
  • Ghidra
  • Grails
  • Minecraft

The following projects don't appear to use Log4j by default, though they may optionally be configured to use it.

  • Apache Tomcat
  • Dropwizard
  • Elastic Kibana
  • Hibernate
  • JavaServer Faces
  • Oracle ATG Web Commerce
  • Spring Framework


Thanks to @sshell for the deep dive on this list.

See also

Copy link

Kindly confirm if Apache Subversion is affected

Copy link

Please add Graylog to this list, as per my fork.

Copy link has a even longer and more uptodate list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment