This post is an extension of https://querydb.blogspot.com/2021/09/solving-jenkins-maven-build-xray-log4j.html Apart from fix that was discussed in https://querydb.blogspot.com/2021/09/solving-jenkins-maven-build-xray-log4j.html . It is required to upgrade Log4J to 2.15.0 or above due to JNDI attack. Refer below figure to understand the deserialization of untrusted data which can be exploited to remotely execute arbitrary code. There are certain posts which suggest to set below property log4j2.formatMsgNoLookups But, that's serious vulnerability, you shouldn't contemplate these workarounds and upgrade Log4j jars. Refer https://logging.apache.org/log4j/2.x/security.html " A new CVE (CVE-2021-45046, see above) was raised for this. Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message look