Gatsby Statement on the Recent Log4j 2 Vulnerability

Some of our customers have reached out to us, asking if Gatsby has been impacted by the recent critical risk vulnerability in the popular Log4j 2 library.  In short, no we haven’t.  Read on for more detail.

What happened?

On December 6, 2021 the Apache Foundation released an update to the popular Log4j 2 logging library that fixed a critically rated security vulnerability, rated 10.0 on the CVSS scoring framework.  The vulnerability in the JNDI logging extension could lead to Remote Command Execution and/or the leaking of sensitive server-side data.  The vulnerability was quickly weaponized, and by December 10, 2021 was being widely exploited across the internet.

Are Gatsby open source users or Gatsby Cloud customers affected?

No.  Beginning Friday December 10, 2021 as details emerged about impacted software suites, our Gatsby security team swiftly reviewed our infrastructure and application stack fully and did not find any affected systems or services that use the vulnerable Log4j 2 package.  Our technology stack does not typically employ Java-based applications.  A few of our vendor-supplied services are written on a Java technology stack, but were found to not be affected by the recent Log4j 2 vulnerability.

If you have any further security questions, feel free to reach out to security@gatsbyjs.com for more information.

Have any questions or feedback about this article? Reach out to me on Twitter at: @mlgualtieri.