Log4j and Servd
Posted: 12th Dec 2021
The internet was recently hit with a new zero-day vulnerability impacting the log4j logging library for Java applications.
This vulnerability has not had any impact directly on the Servd platform, which does not use any Java based components. We have therefore not had to take any action to mitigate this issue.
Great. So is that it?
Not quite - we've also checked with our underlying service providers to ensure they've taking appropriate action to prevent this vulnerability from impacting any Servd clients.
DigitalOcean
DO have confirmed that this vulnerability does not impact any of their as-provided services and no action has been therefore been required.
Backblaze
Backblaze found that they may have been vulnerable to the log4j zero-day. They therefore responded by taking down their entire service for several hours whilst rolling out updates in order to ensure full mitigation. There was no specific evidence that their services had been exploited.
The Backblaze outage caused a minor disruption on the Servd platform as we were unable to upload database backups to their object-storage service as we normally would. We therefore replayed these backups when Backblaze came back online.
It also caused an interruption to a small number of projects which were using the svg() twig function. This function copies the contents of an svg file into the output HTML for the twig template. If the svg file is stored within a Craft asset volume, the file is downloaded from the asset storage volume to be read and output - no built in caching! So if the remote asset volume goes down, the twig fails to render and the page throws a 500 error.
Pro Tip: Don't use the svg() twig function for remotely stored assets without surrounding it with some well-considered caching.