The vulnerability comes from Apache's Log4j, a globally popular open source library that helps software developers track changes in applications that they build.