Gatsby Statement on the Recent Log4j 2 Vulnerability

Mike Gualtieri
Mike Gualtieri
December 17th, 2021

Some of our customers have reached out to us, asking if Gatsby has been impacted by the recent critical risk vulnerability in the popular Log4j 2 library.  In short, no we haven’t.  Read on for more detail.

What happened?

On December 6, 2021 the Apache Foundation released an update to the popular Log4j 2 logging library that fixed a critically rated security vulnerability, rated 10.0 on the CVSS scoring framework.  The vulnerability in the JNDI logging extension could lead to Remote Command Execution and/or the leaking of sensitive server-side data.  The vulnerability was quickly weaponized, and by December 10, 2021 was being widely exploited across the internet.

Are Gatsby open source users or Gatsby Cloud customers affected?

No.  Beginning Friday December 10, 2021 as details emerged about impacted software suites, our Gatsby security team swiftly reviewed our infrastructure and application stack fully and did not find any affected systems or services that use the vulnerable Log4j 2 package.  Our technology stack does not typically employ Java-based applications.  A few of our vendor-supplied services are written on a Java technology stack, but were found to not be affected by the recent Log4j 2 vulnerability.

If you have any further security questions, feel free to reach out to security@gatsbyjs.com for more information.

Have any questions or feedback about this article? Reach out to me on Twitter at: @mlgualtieri.

Mike Gualtieri
Written by
Mike Gualtieri

Hacker, security researcher, entrepreneur. Purple Team. Avid gardener and ham radio operator. Known to make and break software. Loves reverse shells and hiking in the woods with my wife and kids.

Follow Mike Gualtieri on Twitter

Talk to our team of Gatsby Experts to supercharge your website performance.