The upgrade that includes the fixed Log4j version 2.16 is ongoing. It’s important to note that Elasticsearch versions 5.x and prior won’t be included as they’re past EOL. While we’ll still allow versions 5.x and prior, they only receive protection in the form of disabling message lookups and complete removal of the exploitable class. We urge all users with these outdated versions to upgrade to more recent versions to improve protection.
We’ve added protection for CVE-2021-45046 (Log4j DoS). This threat is less critical as we’ve already patched the RCE and removed the exploitable class from the installed classpath. Now, we’re working to deploy the fully patched library from upstream with the fixes integral, rather than relying on workarounds on compromised versions. And we’re upgrading all the affected services with Log4j 2.16.
Posted Dec 15, 2021 - 22:37 UTC
Update
We are continuing to monitor for any further issues.
Posted Dec 15, 2021 - 08:48 UTC
Update
We have mitigated the issue on Dedicated and Grid environments. We are continuing to monitor for any further issues.
Posted Dec 14, 2021 - 14:53 UTC
Update
We are continuing to monitor for any further issues.
Posted Dec 14, 2021 - 03:50 UTC
Monitoring
A thorough investigation of our products and services has led us to believe our services are protected from the worst form of remote code execution. The threat of information disclosure is reduced because we aren’t sending application variables to these services. To further reduce that threat, these services are also receiving updates to disable the undesired behavior of Log4j. We’ve confirmed with our backend IaaS providers and with Fastly that they’ve either been unaffected or have mitigated any exposures.
If your project is running custom JAVA code in an app container, please immediately ask your developers to review your code for Lib4j2 usage and update it to the latest 2.15 branch.
This incident affected: Australia (au.platform.sh), Australia East (au-2.platform.sh), Canada (ca-1.platform.sh), Europe (France) (fr-1.platform.sh), Europe (France 3) (fr-3.platform.sh), Europe (France 4) (fr-4.platform.sh), Europe (Germany) (de-2.platform.sh), Europe (West) (eu.platform.sh), Europe (West 2) (eu-2.platform.sh), Europe (West 4) (eu-4.platform.sh), Europe (North 1) (eu-5.platform.sh), United Kingdom (uk-1.platform.sh), USA (East) (us.platform.sh), USA-2 (East 2) (us-2.platform.sh), USA-3 (West 2) (us-3.platform.sh), USA-4 (East 1) (us-4.platform.sh), and Dedicated Enterprise.