Log4j Vulnerability question?

I haven’t seen any mention of this yet. What’s our status re: log4j?

Is Ghost CMS vulnerable? (And if the Ghost-hosted platform isn’t, what about the self-hosted version on Ubuntu- does a locally hosted Ghost instance on Ubuntu use log4j in any way?)


Ghost source code does not have log4j as it’s dependency - it is not vulnerable. Same goes for Ghost(Pro) environment.

It’s impossible to tell what self-hosted environments are using as dependency (for example some sort of custom logger, etc), so it’s up for them to do the due diligence.


Agreed. But assuming we stuck to the official Ghost install guide for Ubuntu, we should be safe, correct?

Yes, that sounds correct.