December 21, 2021

Introduction

The last couple of weeks I have seen a lot of confusion around the Apache Log4j security threat. The confusion mainly revolved around Apache httpd which I often hear people refer to as just Apache. I just wanted to write a helpful article to help clear up some of the confusion I have encountered.

Apache

The Apache Software Foundation, often just called Apache, is a nonprofit corporation founded in 1999 that supports open-source projects. Most of the projects they support have been donated to them. According to their site, they have over 350 Projects and Initiatives. One of the most popular programs they maintain is Apache httpd, also known as Apache HTTP Server. Some other projects they maintain that you probably have heard of is Airflow, Cordova, Hadoop, Spark, Kafka, and Logging Services (Log4j and other libraries).

These projects are maintained and provided mainly under the Apache License v2.

Apache HTTP Server

Apache HTTP Server, also known as httpd, is a cross platform web server. It is part of the LAMP stack (Linux, Apache, MySQL, PHP) which is a common stack used in software development.

It is also used in a lot of open-source projects that need a web server due to it being so lightweight.

Apache httpd does not use Log4j and is not a security risk. However, applications that use httpd as their web server may also use Log4j. These applications may potentially be a security risk and should be patched.

Apache Log4j

Apache Log4j is an opensource Java library used for logging. There is also a version called log4cxx used for C++ and another version of Log4Net used with Microsoft .NET runtime. I spent some time reading on this subject and from what I can find, the only library in this group that has this particular vulnerability is Log4j.

Apache maintains sites for these different libraries where it lists known security issues. You can check out the Apache Log4j Security Vulnerabilities page to find more information on current and fixed issues.

Conclusion

The point of this article was simply to clarify some of the confusion I have ran into around the Apache Log4j security vulnerability. Hopefully this post has given some clarification of what Apache is and the products that it supports.

I don't have a comments section yet, so feel free to send me feedback on this blog.


Kevin Williams

Kevin is a data engineer and is the Business Intelligence Practice Lead at Software Design Partners specializing in data warehousing. He is a father, an occasional gamer, and lover of many different types of music.


The opinions expressed on this site are my own and may not represent my employer's view.
Share this post
About this blog...

Let's take a look at Apache Log4j and httpd

Archives


An error has occurred. This application may no longer respond until reloaded. Reload 🗙