Skip to main content
U.S. flag

An official website of the United States government

log4j Customer responsibility: Restage Java and PHP applications to Mitigate log4shell exploit

December 14, 2021

Overview

Late last week, a serious new vulnerability referred to as “log4shell” was disclosed targeting vulnerable versions of the popular log4j logging utility.

In response, the cloud.gov team has – since last Friday – applied a series of mitigations and updates to the platform, as described in our most recent statuspage updates. These actions have secured our platform and afforded some protection to our customers without any need for customer intervention.

Today the Cloud Foundry community released patched versions of both the Java and PHP buildpacks, which are vulnerable to this new exploit (with some caveats relating to the PHP buildpack discussed below). Upon their release, the cloud.gov team worked to make these new buildpacks available to customers immediately.

Customer action required

Customers now need to take additional steps to further mitigate this vulnerability, and are advised to immediately restage their applications to pick up these new buildpack changes. The new buildpack versions are:

Application owners can restage their applications following the directions contained in the Cloud Foundry documentation. After restaging, you can verify the version of buildpack being used by your application by inspecting the app details using cf app {application-name}.

Applicability to the PHP Buildpack

A component of the PHP buildpack - AppDynamics - was determined to be vulnerable to the log4shell exploit, and that specific dependency was updated in the new buildpack release. However, AppDynamics usage in the PHP buildpack is enabled through an extension that only gets used if there’s an AppDynamics service present. There is no AppDynamics service natively available on cloud.gov, so it’s unlikely that any PHP applications are at risk of this exploit unless a user supplied their own AppDynamics service via a user-provided service.

Additional information

In addition, CISA has released official guidance on this exploit, which you can review here.

Customers with additional questions or experiencing issues can reach out to support at support@cloud.gov.

Suggest edits

cloud.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov