adds Log4j2 support, removing log4j1

Lucee now uses log4j2 with log4j1 completely removed

Anyone using custom log appenders will need to update them to use log4j2, as we can’t be backwards compatible without including the old lib (which isn’t vulnerable, only unmaintained).

and yes, we will be updating to 2.17.1 before anyone asks…

The 5.3.9 sprint has a few remaining tickets before we release RC1, feel free to start testing

5.3.9 completed highlights so far include

See the sprint board to each ticket


Happy new year @Zackster !

This is great news; removes a possible pain point from any future code audits

3 Likes now uses 2.17.1, just waiting for maven to update before it can build


@Zackster Looks like both the log4j 1.2.16 and 1.2.17 bundles are downloading when starting up a Lucee server, however. I’m assuming this is coming in as a dependency in one of the org.lucee bundles in MANIFEST.MF

I’m not sure where 1.2.16 is coming from.

If you remove the two 1.2.x jars from the bundles directory and clear the felix-cache directory, only 1.2.17 re-downloads to the bundles directory.

Please always state which exact version of Lucee!

1.2.16 is coming from the old Lucene search extension, you can see that via the Bundles in the admin

as 5.3.9 is in active development, always test with the latest snapshot


yesterday lucee.org was down, and my application cannot start because of this.
I get error:
ERROR: Failed to download the bundle [log4j:1.2.17]
from [http://release.lucee.org/rest/update/provider/download/log4j/1.2.17/?serverId=c25a2e22f6da9088aeeedf932120a75a&serverSecurityKey=aed6b5d8-0b75-4316-9db0-d9444f11a41f&allowRedirect=true&jv=11.0.15]

FYI, I use lucee with docker-commandBox image jdk11-3.5.3