Apache Log4j is a widely used Java logging library. However, in December 2021, it became the hot spot of a significant security issue, CVE-2021-44228, later known as Log4Shell. This bug led to a series of releases aimed at resolving Log4Shell and plagued many organizations with the question: Do we have Log4j on our technology stack?
At the Apache Logging Services project, we are committed to security and are fortunate to have a dedicated security team supporting all projects within the Apache Software Foundation. Thanks to the work of all these volunteers, the crisis was averted within 17 days with the 2.17.1 release.
Despite this, we identified areas for improvement that slowed down our response to the bug report. In this talk, I will present the measures taken by our project to transform Log4j from being synonymous with open-source security concerns to an ASF leader in delivery automation, transparency, and software supply chain security.