Pick a random person, and ask them these two questions:
Q1. Have you heard of Apache?
Q2. If so, can you name an Apache product?
We’re willing to wager that you will get one of two replies:
A1. No. A2. (Not applicable.)
A1. Yes. A2. Log4j.
Two weeks ago, however, we’d suggest that very few people had heard of Log4j, and even amongst those cognoscenti, few would have been particularly interested in it.
Until a cluster of potentially catastrophic bugs – originally implemented as features, on the grounds that less is never more – were revealed under the bug-brand Log4Shell, the Log4j programming library was merely one of those many components that got sucked into and used by thousands, perhaps even hundreds of thousands, of Java applications and utilities.
Log4j was just “part of the supply chain” that came bundled into more back-end servers and cloud-based services than anyone actually realised until now.