Apache Security Team Blog

Data Processing, Compliance Statements and SLA

AWS/OSTIF commission audit of three Apache Commons projects

No vulnerabilities found, a number of security hardening improvements identified and implemented.

xz/liblzma/libarchive compromise

At this time we have no reason to believe Apache projects are directly impacted by this compromise, also known as CVE-2024-3094.

Credits for finding security vulnerabilities

This post describes when and how we give credit to people who report security issues.

ASF Security Report: 2023

This report explores the state of security across all of The Apache Software Foundation (ASF) projects for the calendar year 2023. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

Apache vulnerability severity rating system

We introduce a default severity rating system, based on the scales we've been using with some specific projects

ASF Security Report: 2022

This report explores the state of security across all of The Apache Software Foundation (ASF) projects for the calendar year 2022. We review key metrics, specific vulnerabilities, and the most common ways users of ASF projects were affected by security issues.

CVE-2022-42889: interpolations that allow RCE disabled in Commons Text 1.10.0

Find out if you should worry about CVE-2022-42889, which was recently released by the Apache Commons Text team

Apache projects affected by log4j CVE-2021-44228

This entry is where we will collect links to statements provided by ASF projects on if they are affected by CVE-2021-44228, the security issue in Log4j2.