Trust & Security

DigitalOcean’s response to the Log4j security vulnerability

DigitalOcean

Posted: December 13, 20213 min read

DigitalOcean has been monitoring the Log4j vulnerability (CVE-2021-44228) and has been testing across all of our products to validate any potential exposure or risks of this vulnerability. We strongly encourage you to review all of your projects and visit our Community FAQ with updated vulnerability guidance. We wanted to provide you with an update on our review by product as the information is available:

Droplets

  • Droplets are not vulnerable to the Log4j security vulnerability. The Droplet team reviewed its tech stack, found one area of concern, and issued a patch to close the concern.
  • The Droplet team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Marketplace

  • Marketplace has reached out to all Marketplace Vendors to confirm they are aware of the vulnerability, and to understand if they have taken remediation action or were unaffected.
  • We have temporarily disabled new 1-Click App deployments for some vendors and will continue working with them to make sure the vulnerabilities are fixed prior to reenabling those 1-Click App deployments.

Kubernetes

  • Kubernetes does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Kubernetes team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

App Platform

  • App Platform does not use Log4j. However, we recognize that customers may run vulnerable applications. We encourage you to review the applications you run for potential impact information on this vulnerability.
  • The App Platform team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Spaces

  • Spaces does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Spaces team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Volumes

  • Volumes does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Volumes team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Images (Snapshots, Backups, and Custom Images)

  • Our images stack includes Apache Zookeeper. We have investigated our configuration and determined its vulnerability to Log4j has been mitigated. We continue to watch upstream for patches and will upgrade as soon as they are available.
  • The Images team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Managed Databases

  • Managed Databases does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Managed Databases team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Networking

  • Networking does not use a vulnerable version of Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Networking team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.

Share

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!Sign up

Related Articles

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program
trust-security

Announcing the Public Launch of DigitalOcean’s Paid Bug Bounty Program

April 5, 20244 min read

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault
trust-security

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault

February 3, 202327 min read

Enabling Engineering Teams Through Developer-First Secrets Management
trust-security

Enabling Engineering Teams Through Developer-First Secrets Management

January 26, 20238 min read