Can Apache HTTP Server allow reverse shelling thanks to the new Log4j vulnerability?

Question

I have an Apache HTTP Server installed on a Centos 8 machine, I would like to know if it uses the Log4j library by virtue of the new vulnerability discovered that is compromising many servers on the web. If so, what would be the procedure to resolve? From my analysis I could see from the repository (svn.apache.org/repos/asf/httpd/httpd/) that the language used is C, XML so I imagine that it does not use Log4j for tracking the logs, but projects those relating to active modules. Thank you.

Answer 1

No, Apache httpd and Apache log4j have nothing in common other than being both published by the Apache foundation.

• Apache log4j is used by software written in Java.
• Apache httpd is NOT written in Java.
• Apache httpd does NOT use Apache log4j.
• Apache httpd is NOT subject to CVE-2021-44228.

Note that an Apache httpd instance could be used as a reverse proxy in front of an http server using Java and log4j, but that's like saying a router is vulnerable because there's a server somewhere behind it that is.

You could also have other software running on the box which uses log4j, but that would not be Apache httpd directly.

There's a lot of confusion around because many people call Apache httpd just Apache (for historical reasons), but Apache is the foundation which publishes Apache httpd and Apache log4j (and dozens of other projects).