log4shell.tools Scan logs

Log4j Version Checker

Enter a Log4j version and find out whether it's vulnerable to Log4Shell — and exactly which fix you need.

  1. Type the Log4j version (e.g. 2.14.1 or 2.17.1).
  2. Click Check for an instant verdict.
  3. Follow the upgrade guidance for anything below 2.17.1.

Enter the Log4j version a service is running and this tool tells you whether it's affected by Log4Shell and the follow-on CVEs — and which version to upgrade to. The fixes came in waves: 2.15 partially fixed it, 2.16 disabled message lookups, and 2.17.1 is the version that resolves CVE-2021-44228, 45046 and 45105 together.

The patch timeline

2.0-beta9 – 2.14.1: fully vulnerable to Log4Shell. 2.15.0: still exploitable in some configs (CVE-2021-45046). 2.16.0: JNDI and message lookups disabled, but a DoS remained (CVE-2021-45105). 2.17.1+: all three resolved — the recommended target. Backports exist for older Java (2.12.4 for Java 7, 2.3.2 for Java 6).

Stop-gaps when you can't upgrade

If you genuinely can't patch immediately, the accepted mitigations are to remove the JndiLookup.class from the classpath, or — for older 2.10+ — set log4j2.formatMsgNoLookups=true. These reduce risk but are not a substitute for upgrading to 2.17.1+. The old advice to set log4j2.noFormatMsgLookup alone proved insufficient.

Guides about Log4j Version Checker

Log4j versions & CVEs CVE-2021-45046 vs 45105: The Log4Shell Follow-On Flaws A defender's comparison of CVE-2021-45046 and CVE-2021-45105, explaining why the first Log4Shell fix was incomplete, what the denial-of-service follow-up was, and why only 2.17.1 is the safe endpoint. 6 min read Log4j versions & CVEs Is My Log4j Version Vulnerable? A Defender's Checklist A defender's checklist for deciding whether a Log4j version is vulnerable, mapping version numbers to the Log4Shell CVEs and explaining how to find your true version including transitive dependencies. 6 min read Log4j versions & CVEs The Log4j Patch Timeline: Every Version and What It Fixed A defender's timeline of the Log4j patch releases, explaining what 2.15.0, 2.16.0, 2.17.0, and 2.17.1 each fixed, the 2.12.4 and 2.3.2 backports, and which version is the safe endpoint. 6 min read

More log4shell tools

Log4Shell Scanner Paste a log line, request header, or whole log file and instantly flag Log4Shell (CVE-2021-44228) exploitation attempts — including obfuscated JNDI payloads.

Frequently asked questions

Which Log4j version is safe?
2.17.1 or later for Java 8+. It fixes CVE-2021-44228, 45046 and 45105. Backports are 2.12.4 (Java 7) and 2.3.2 (Java 6).
Is 2.15 or 2.16 safe?
Not fully. 2.15 is still exploitable via CVE-2021-45046; 2.16 fixes that but has a DoS (CVE-2021-45105). Upgrade to 2.17.1+.
Is Log4j 1.x affected?
Not by CVE-2021-44228, but 1.x is end-of-life with its own unpatched CVEs. Move to 2.17.1+.