Apache itself is not written in Java and does not directly link the infamous Log4j library. It is particularilly safe from this vulnerability.
What else can go wrong, then?
- Not everything with Apache in its name and HTTP functions is exactly the Apache HTTPD server. Apache Tomcat, for example, is completely different HTTP web server. It is written in Java and can pretty much be configured to use Log4J. I am not really sure if it is at all possible to log otherwise in Tomcat.
Someone with less experience and knowledge is perfectly capable of mistaking those two. And, to my knowledge, Tomcat has in general better security track record than the "classical" Apache HTTPD.
(As per Bob's comment, the default logging facility in Tomcat is not Log4J.)
- Apache HTTPD is very much extensible. It can be configured to call other things in the background by variety of interfaces (e.g. in order to fetch dynamic web pages that are generated programatically). Some of these "things in the background" may be java-based and linked to the Log4J library.
Your mileage may vary, especially if you don't know in detail your software stack.
In order to be sure, you should first check if you have any Java machine installed. In your package manager, it's packages will be called JRE-something, JVM-something or maybe JAVA-something.
You may as well try:
java -version
in your shell.
If you don't have any of these and you didn't install JAVA outside of your package manager, you are safe.
Not safe in general, but at least safe against CVE-2021-44228.