[Resolved] Log4J CVE-2021-44228 Vulnerability
Incident Report for Pantheon Operations
Pantheon has verified that the platform is not vulnerable to the security issue related to the open-source Apache “Log4j2" utility.

Log4j is a Java-based logging utility found in a large number of software products.

The CVE-2021-44228 [1] vulnerability (aka the “Log4Shell” vulnerability) was disclosed by the Apache Log4j project. If exploited, this vulnerability could potentially allow a remote attacker to execute code on the server.

Once this vulnerability was publicly disclosed on the 9th December 2021, Pantheon began an audit of our infrastructure, as well as engaging with our software vendors, to determine potential impact. While our exposure to the vulnerability has been minimal, we have directly remediated components and verified that existing defense in depth measures prevent exploitation as researchers have published.

If you have any questions, please contact Pantheon support through the Pantheon dashboard or by emailing helpdesk@pantheon.io.

[1] - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Posted Dec 13, 2021 - 13:58 PST
This incident affected: Customer Sites.