The Apache Software Foundation Blog

The VP of Logging at the Apache Software Foundation recounts how the Log4Shell vulnerability (CVE-2021-44228) forced a comprehensive overhaul of the Log4j project, and how that work aligns with the EU Cyber Resilience Act (CRA). Key improvements include: rewriting documentation to surface security best practices and an explicit security model; migrating from manual builds to reproducible GitHub Actions CI with SLSA attestations; publishing CycloneDX SBOMs and developing automated VEX statements; establishing a structured vulnerability handling process including a bug bounty program; and modularizing Log4j 3 to reduce attack surface. The post also addresses the unsolved problem of maintainer sustainability, with only two active maintainers currently, and outlines community and funding initiatives to address it. The core message is that CRA compliance and a healthier open source project are the same goal.

Lessons from Log4Shell: Building a CRA-Ready Log4j

A Wake-Up Call for the Software Ecosystem

Documentation: from maintainer knowledge to public record

Release process: from manual to reproducible

Machine-readable metadata: SBOMs, VEX, and beyond

Vulnerability handling: from ad hoc to structured

Community sustainability: the hardest and unsolved problem