Craft CMS and Log4j

A severe, widespread vulnerability in the Java Log4j logging library has prompted extensive audits of web infrastructure that may include Craft CMS sites.

Craft CMS is a PHP application with no direct relationship to Java or Log4j.

So while Craft itself isn’t affected by the Log4j bug, you’ll still want to check with your hosting provider to be sure your infrastructure does not rely on any services that rely on Log4j and integrate with Craft. You might use Elasticsearch, for example, to collect and parse application and server logs—and that may use Log4j and be worth auditing.

Applies to Craft CMS 3.