DigitalOcean’s response to the Log4j security vulnerability

Posted 2021-12-13  in Trust & Security
blog header

DigitalOcean has been monitoring the Log4j vulnerability (CVE-2021-44228) and has been testing across all of our products to validate any potential exposure or risks of this vulnerability. We strongly encourage you to review all of your projects and visit our Community FAQ with updated vulnerability guidance. We wanted to provide you with an update on our review by product as the information is available:

Droplets

  • Droplets are not vulnerable to the Log4j security vulnerability. The Droplet team reviewed its tech stack, found one area of concern, and issued a patch to close the concern.
  • The Droplet team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Marketplace

  • Marketplace has reached out to all Marketplace Vendors to confirm they are aware of the vulnerability, and to understand if they have taken remediation action or were unaffected.
  • We have temporarily disabled new 1-Click App deployments for some vendors and will continue working with them to make sure the vulnerabilities are fixed prior to reenabling those 1-Click App deployments.

Kubernetes

  • Kubernetes does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time. 
  • The Kubernetes team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

App Platform

  • App Platform does not use Log4j. However, we recognize that customers may run vulnerable applications. We encourage you to review the applications you run for potential impact information on this vulnerability.
  • The App Platform team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Spaces

  • Spaces does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time. 
  • The Spaces team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Volumes

  • Volumes does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time. 
  • The Volumes team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Images (Snapshots, Backups, and Custom Images)

  • Our images stack includes Apache Zookeeper. We have investigated our configuration and determined its vulnerability to Log4j has been mitigated. We continue to watch upstream for patches and will upgrade as soon as they are available.
  • The Images team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Managed Databases

  • Managed Databases does not use Log4j. Therefore, no additional patches or mitigation activity is required at this time.
  • The Managed Databases team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability. 

Networking

  • Networking does not use a vulnerable version of Log4j. Therefore, no additional patches or mitigation activity is required at this time. 
  • The Networking team is continually monitoring the vulnerability information available for all updates to the details of the vulnerability.