Issue
On December 9, 2021, a vulnerability affecting services using the Apache Log4j library described in CVE-2021-44228 was disclosed to the public. On December 14, 2021, CVE-2021-45046 was disclosed, and was subsequently updated by Apache on December 16, 2021. Log4j is a logging library for Java that developers use to insert log statements into code for debugging purposes.
Resolution
Heroku is reported to not be affected by CVE-2021-44228 or CVE-2021-45046.
Please note that customers must also audit their own hosted library dependencies and maintain the security of their code. For more information, see the linked CVE reports and Apache’s Log4j2 update instructions.
To confirm whether your application contains Log4j2 dependencies, review your application via a one-off dyno by running the following command:
$ heroku run bash -a <application-name>
Once at the command prompt, run the following command to search for the presence of Log4j2 jar files:
$ find . -name "log4j*.jar"
As dependencies may be packed inside other jar files, use this command to search the contents of jar files:
$ find . -name '*.jar' -print | while read i; do jar -tvf "$i" | grep -Hsi 'log4j*.jar' && echo "$i"; done
Change -name '*.jar' to -name '*.war' if your application is packaged as a war file.
If this command is returning jar files between 2.0.x and 2.15.x, identify where this dependency is being pulled in, and upgrade to Log4j 2.16.
Based on currently available information, it is unlikely that your application is impacted if you do not use any Java/JVM components in your application.
To see more details of our response, please follow along with our Salesforce status post here. The full list of Salesforce products and their status regarding this issue is published here.