Status update on log4j Vulnerabilities CVE-2021-44228, CVE-2021-45046, and CVE-2021-4104

On the 16th of December 2021, Pantheon concluded its subsequent audit and remediation of CVE-2021-44228 [1], CVE-2021-45046 [2], and CVE-2021-4104 [3] log4j vulnerabilities. We determined the disclosed vulnerabilities had no impact on our infrastructure or on our clients’ websites, and services.

If you have any questions, please contact Pantheon support through the Pantheon dashboard or by emailing helpdesk@pantheon.io.

[1] - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
[2] - https://nvd.nist.gov/vuln/detail/CVE-2021-45046
[3] - https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Since the public disclosure of CVE-2021-44228 [3] on the 9th of December 2021, subsequent log4j vulnerabilities have been disclosed. With regards to Pantheon’s prior log4j status update on Dec 13, 2021 - 13:58 PST, Pantheon has applied patches to Solr8 and an internal tool, logstash, to remediate vulnerabilities to CVE-2021-44228. Pantheon is investigating its platform configuration to determine whether it is impacted by subsequent log4j vulnerabilities identified in CVE-2021-45046 [1] and CVE-2021-4104 [2].

On the 14th of December 2021, both CVE-2021-45046 and CVE-2021-4104 were publicly disclosed. Pantheon began an audit of our infrastructure, as well as engaging with our software vendors, to determine potential impact.

We will provide an update on our status page by the end of the week on the results of our audit as findings emerge about our posture.

If you have any questions, please contact Pantheon support through the Pantheon dashboard or by emailing helpdesk@pantheon.io.


[1] - https://nvd.nist.gov/vuln/detail/CVE-2021-45046
[2] - https://nvd.nist.gov/vuln/detail/CVE-2021-4104
[3] - https://nvd.nist.gov/vuln/detail/CVE-2021-44228