---
title: "Cloudsmith Not Impacted By CVE-2021-44228 (log4shell/Log4j | Cloudsmith"
description: "Following a security audit, we confirm that CVE-2021-44228 does not impact the Cloudsmith service."
canonical_url: "https://cloudsmith.com/blog/cloudsmith-not-impacted-by-cve-2021-44228-log4shell-log4j"
last_updated: "2021-12-14T13:55:00.000Z"
---
# Cloudsmith Not Impacted By CVE-2021-44228 (log4shell/Log4j | Cloudsmith

## **Updates**

- ****2021-12-22: ****Moved mitigation advice to the [All About Log4j/Log4Shell](/blog/cloudsmith-not-impacted-by-cve-2021-44228-log4shell-log4j) article.
- ****2021-12-20: ****Suggested log4j `2.17.0` instead due to a DoS exploit in `2.16.0`.
- ****2021-12-15: ****Suggested log4j `2.16.0` instead due to a DoS exploit in `2.15.0`.

## **Background**

The `log4j` library, part of the [Apache Software Foundation](https://en.wikipedia.org/wiki/Apache_Software_Foundation) (ASF), is a general and commonly utilized logging framework for _Java_. The framework allows developers to log data (incl. user-based) in their applications.

On 10th December 2021, a ****_critical severity_**** Remote Code Execution (RCE) exploit disclosure for `log4j` was published, as [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228), affecting versions below `2.15.0`. The vulnerability has been coined as [Log4Shell](https://en.wikipedia.org/wiki/Log4Shell).

As reported to Apache by Alibaba on 24th November 2021, the exploit has been characterized as one of the most impactful last decade. Apache assigned the exploit a [CVSS](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System) rating of 10, the highest available score.

Applications that utilize the `log4j` library, where bad/malicious actors can influence what is sent to logging, can be exploited with well-crafted strings that cause arbitrary (user-provided) code to be executed on the server.

## **Is Cloudsmith impacted?**

In short: ****No****. We confirm that CVE-2021-44228 does not impact the Cloudsmith service following a security audit. As per our last announcement regarding [ISO27001 certification](https://cloudsmith.com/resources/blog/cloudsmith-iso-27001-certified), we're highly committed to security and privacy, and we'll do everything we can to assist with ensuring that our customers, and your customers, remain secure too.

## **Should I be concerned?**

Although Cloudsmith is not impacted, the exploit is exceptionally high impact and highly commonly used, so developers and users of affected software should take it utmost seriously. ****Immediate action**** is required to identify and mitigate the software and environments impacted.

## **How can I mitigate the issue?**

****Updated: ****Please refer to our [in-depth blog article on the issue](/blog/all-about-log4shell-mitigation-cve-2021-44228), in which we provide the background, impact, identification and remediation (mitigation) advice for `log4j` / `log4shell`.

## **Next Steps**

We'll be following this announcement with additional assistance and advice that we can provide to help users identify affected packages hosted and distributed from Cloudsmith. (released now, see above.)

If you have any questions about the exploit, need any additional help with identification or mitigation, or have any general concerns, please don't hesitate to get in touch with us.

The exploit is a bad one, so ****#hugops**** to everyone. We're here for you, so lean on us if you need to!

## **Learn More**

Please visit the following resources to learn more about [Log4Shell](https://en.wikipedia.org/wiki/Log4Shell):

- [https://nvd.nist.gov/vuln/detail/CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228)
- [https://logging.apache.org/log4j/2.x/security.html](https://logging.apache.org/log4j/2.x/security.html)
- [https://www.ncsc.gov.uk/news/apache-log4j-vulnerability](https://www.ncsc.gov.uk/news/apache-log4j-vulnerability)
- [https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/](https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/)
