官方申明:
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45046
官方解決方案
Mitigation
Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
Log4j 2.x mitigation: Implement one of the mitigation techniques below.
Java 8 (or later) users should upgrade to release 2.16.0.
Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
建議
目前看來升級相對保險,升級版本 JDK7:Log4j 2.12.2
或者 JDK8:Log4j 2.16.0
關於Log4j 2.16.0版本升級記錄:https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0