I haven’t seen any mention of this yet. What’s our status re: log4j?
Is Ghost CMS vulnerable? (And if the Ghost-hosted platform isn’t, what about the self-hosted version on Ubuntu- does a locally hosted Ghost instance on Ubuntu use log4j in any way?)
Ghost source code does not have log4j as it’s dependency - it is not vulnerable. Same goes for Ghost(Pro) environment.
It’s impossible to tell what self-hosted environments are using as dependency (for example some sort of custom logger, etc), so it’s up for them to do the due diligence.