rollbar · bxsx · Dec 20, 2021 · Dec 19, 2021 · Dec 19, 2021
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change Log
 
+# 1.8.1
+
+- Update log4j dependencies to v2.17.0 to fix CVE-2021-45105 [#291](https://github.com/rollbar/rollbar-java/pull/291)
+
 # 1.8.0
 
 - Update log4j dependencies to v 2.16.0 (#287)

diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
-VERSION_NAME=1.8.1-SNAPSHOT
+VERSION_NAME=1.8.1
 GROUP=com.rollbar
 
 POM_DESCRIPTION=For connecting your applications built on the JVM to Rollbar for Error Reporting

diff --git a/rollbar-log4j2/README.md b/rollbar-log4j2/README.md
@@ -1,28 +1,36 @@
 # Rollbar Log4j 2 integration
 
-This directory contains the Log4j 2 integration of the Rollbar Java SDK. 
+This directory contains the Log4j 2 integration of the Rollbar Java SDK.
 
 Instructions for building and contributing to the SDK can be found in the main repository [README](../README.md).
 
 ## Compatibility
 
-Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` of `log4j-core`. This removes compatibility with Java 7, but was a necessary upgrade to fix the CVE-2021-44228 vulnerability in Log4j. 
+Staring with version `1.8.0`, `rollbar-log4j2` depends on version `2.16.0` (or later) of `log4j-core`.
+This removes compatibility with Java 7, but was a necessary upgrade to fix the following vulnerabilites in Log4j:
 
-Projects built and / or running with Java 7 can still use `rollbar-log4j2` version `1.8.0`, while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`, by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`. 
+- CVE-2021-44228
+- CVE-2021-45046
+- CVE-2021-45105
+
+Projects built and/or running with Java 7 can still use `rollbar-log4j2` version `1.8.0+`,
+while forcing the use of a **vulnerable**, Java 7 compatible version of `Log4j`,
+by updating their build configuration to ignore transitive dependencies from `rollbar-log4j2`.
 
 Gradle configuration:
 
 ```gradle
 dependencies {
-    implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.0') {
+    implementation(group: 'com.rollbar', name: 'rollbar-log4j2', version: '1.8.1') {
         exclude group: 'org.apache.logging.log4j'
     }
 
-    implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.1'
-    annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.1'
+    implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j-impl', version: '2.12.2'
+    annotationProcessor group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.12.2'
 }
 
 ```
 
-Note CVE-2021-44228 is a major RCE vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place.
+While CVE-2021-44228 and CVE-2021-45046 are already fixed in `2.12.2`, CVE-2021-45105 is **not** fixed for Java 7.
+Note CVE-2021-45105 is a high DoS vulnerability and this approach should only be used after a thorough security analysis, and with very strong mitigations in place.