If you specifically need the legacy org.apache.log4j package for a legacy application, it is available in the Apache Archive . Version 1.2.17.
Available as binary and source distributions on the Log4j 2.x Download Page.
Multiple high-severity issues, including SQL injection ( CVE-2022-23305 ) and RCE via JMSAppender ( CVE-2021-4104 ), will not be fixed by Apache. org.apache.log4j download
Finding the correct depends on whether you are looking for the legacy 1.x version or the modern, secure 2.x/3.x releases. While many legacy systems still rely on the original org.apache.log4j namespace, the Apache Software Foundation officially declared Log4j 1.x as End-of-Life (EOL) in August 2015. Where to Download Apache Log4j
If your application cannot yet fully migrate to Log4j 2.x but requires security patches for the 1.x API: Download :: Apache Log4j If you specifically need the legacy org
Downloading and using Log4j 1.x (the org.apache.log4j package) poses significant risks because it is .
Log4j 1.2 is known to have issues with Java 9 and newer versions. Alternatives for Legacy Users Where to Download Apache Log4j If your application
Legacy projects can still find it at Maven Central . Critical Security Warnings for Log4j 1.x