Apache Friends Support Forum

Hello Guys,

I need your assistance if possible. I'm a normal PHP developer. Today, I received a mail from our security team, and they shared a document about a vulnerability through Apache Log4j framework, and Apache has released a new version 2.15.0 as a fix, and server administrator should update Log4j to the latest version to avoid issues.

It was also mentioned that the previous versions of Log4j has the vulnerability of possible Remote Code Execution on the target server by attacker and taking control over the target server. Hearing all these details, makes me worried.

Honestly, it is first time for me to hear about Log4j, and I tried googling how to get current installed Log4j version, to confirm whether it is installed or not, but I couldn't find it.

My question, is Log4j included with XAMPP Apache server or no? How to confirm it is not installed? Or if it is installed, how to update it to the latest version 2.15.0?

Your support appreciated

Reference URL: https://logging.apache.org/log4j/2.x/

Thank you.

Hi,

log4j is a Java library.
Log4j is part of the Apache foundation, but Apache httpd is not written in Java so it does not include log7j.
AFAIK none of the XAMPP components are written in Java.

But if you does have a security team, shouldn't they be able to assist you with all of that stuff?

best wishes,
Altrea

Thank you for your reply. Well, the security team doesn't have the knowledge in dealing with web server or developing web applications.

One more question please, could any of the of the third libraries that I'm using has log4j dependencies. Mostly, I'm using:

* TCPDF
* PHPExcel
* PHP Mailer
* Hands On Table

I did file search for any Log4j* but didn't get any result. Also, my server doesn't have java installed on it. There are some .jar files in the XAMPP folder, but I repeat that java is not installed on the web server.

I executed java -version and it gave error that java is not recognized

Thanks