Update to log4j2 2.16.0

[danotorrey]

The log4j dependencies were recently updated to 2.15.0 in #285 to mitigate CVE-2021-44228.

A subsequent log4j version (2.16.0) was released yesterday that completely disables JNDI by default. Should the project be updated to this new version?

CVE-2021-44228 has shown the JNDI has significant security issues.
2.16.0 disables JNDI by default.

https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0

[ericlink]

Now a must to update to 2.16: https://logging.apache.org/log4j/2.x/security.html

[HerrSchwarz]

Thanks for taking care so quickly. Do you have an ETA for the release?

[msailes]

It's available now

https://repo1.maven.org/maven2/com/amazonaws/aws-lambda-java-log4j2/

[HerrSchwarz]

Awesome, thank you so much 🙂

[andclt]

Closing issue since aws-lambda-java-log4j2 1.5.0 (with log4j 2.17.0) is available in Maven: https://search.maven.org/artifact/com.amazonaws/aws-lambda-java-log4j2/1.5.0/jar