I have an Apache HTTP Server installed on a Centos 8 machine, I would like to know if it uses the Log4j library by virtue of the new vulnerability discovered that is compromising many servers on the web. If so, what would be the procedure to resolve? From my analysis I could see from the repository (svn.apache.org/repos/asf/httpd/httpd/) that the language used is C, XML so I imagine that it does not use Log4j for tracking the logs, but projects those relating to active modules. Thank you.
No, Apache httpd
and Apache log4j
have nothing in common other than being both published by the Apache foundation.
Apache log4j
is used by software written in Java.Apache httpd
is NOT written in Java.Apache httpd
does NOT use Apache log4j.Apache httpd
is NOT subject to CVE-2021-44228.Note that an Apache httpd
instance could be used as a reverse proxy in front of an http server using Java and log4j, but that's like saying a router is vulnerable because there's a server somewhere behind it that is.
You could also have other software running on the box which uses log4j, but that would not be Apache httpd
directly.
There's a lot of confusion around because many people call Apache httpd
just Apache
(for historical reasons), but Apache
is the foundation which publishes Apache httpd
and Apache log4j
(and dozens of other projects).