diff --git a/CHANGES.md b/CHANGES.md
index e4ffa9da0e60cd310cfc70d71ec548df68f8c225..517a571a86c8181ddaa9607b0421b9262d84fdd2 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -7,7 +7,7 @@ Release Notes.
 
 #### Project
 
-* Upgrade log4j2 to 2.16.0 for CVE-2021-44228 and CVE-2021-45046. This CVE only effects on JDK if JDNI is opened in
+* Upgrade log4j2 to 2.17.0 for CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. This CVE only effects on JDK if JNDI is opened in
   default. Notice, using JVM option `-Dlog4j2.formatMsgNoLookups=true` or setting
   the `LOG4J_FORMAT_MSG_NO_LOOKUPS=”true”` environment variable also avoids CVEs.
 
diff --git a/dist-material/release-docs/LICENSE b/dist-material/release-docs/LICENSE
index e228690f9821e8eba45200140bcb9cb740fdeff5..c9f241e289425b6b2b0c13bdc74a296706dc2faa 100755
--- a/dist-material/release-docs/LICENSE
+++ b/dist-material/release-docs/LICENSE
@@ -249,7 +249,7 @@ The text of each license is the standard Apache 2.0 license.
     Apache: commons-lang 3.6: https://github.com/apache/commons-lang, Apache 2.0
     Apache: commons-text 1.8: https://github.com/apache/commons-text, Apache 2.0
     Apache: commons-beanutils 1.9.4: https://github.com/apache/commons-beanutils, Apache 2.0
-    Apache: log4j2 2.15.0: https://github.com/apache/logging-log4j2, Apache 2.0
+    Apache: log4j2 2.17.0: https://github.com/apache/logging-log4j2, Apache 2.0
     Apache: zookeeper 3.5.7: https://github.com/apache/zookeeper, Apache 2.0
     Apache: commons-collections 3.2.2: https://github.com/apache/commons-collections, Apache 2.0
     Apache: commons-configuration 1.8: https://github.com/apache/commons-configuration, Apache 2.0
diff --git a/oap-server-bom/pom.xml b/oap-server-bom/pom.xml
index bff30c8a6829af3a2a6de5df474fbbb9e9ae3020..a9067680478003c271f10655ca68e46b8e814ee6 100644
--- a/oap-server-bom/pom.xml
+++ b/oap-server-bom/pom.xml
@@ -29,7 +29,7 @@
 
     <properties>
         <slf4j.version>1.7.30</slf4j.version>
-        <log4j.version>2.16.0</log4j.version>
+        <log4j.version>2.17.0</log4j.version>
         <graphql-java-tools.version>5.2.3</graphql-java-tools.version>
         <graphql-java.version>8.0</graphql-java.version>
         <okhttp.version>3.14.9</okhttp.version>
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index 8f9f32928f217b814cc4671c41cf45e5a6503c77..e74dbe1bbb5d8b22c88e4c9c3b38372392b79f75 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -93,10 +93,10 @@ kotlin-reflect-1.1.1.jar
 kotlin-stdlib-1.1.60.jar
 libthrift-0.14.1.jar
 listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
-log4j-api-2.16.0.jar
-log4j-core-2.16.0.jar
+log4j-api-2.17.0.jar
+log4j-core-2.17.0.jar
 log4j-over-slf4j-1.7.30.jar
-log4j-slf4j-impl-2.16.0.jar
+log4j-slf4j-impl-2.17.0.jar
 logging-interceptor-3.13.1.jar
 lz4-java-1.6.0.jar
 micrometer-core-1.7.6.jar