Google Cloud Security Advisory | Last updated January 7, 2022 at 5:30pm EST

Apache Log4j 2 Vulnerability

On this page, we provide the latest update of the potential impact of the open-source Apache “Log4j 2” vulnerability on Google Cloud products and services based on the findings of our ongoing investigation.  For the latest updates from the Google Cybersecurity Action Team on recommendations for investigating and responding to this vulnerability please visit our blog post

Google Cloud is actively following the security vulnerabilities in the open-source Apache “Log4j 2" utility (CVE-2021-44228 and CVE-2021-45046). We are also aware of the reported Apache “Log4j 1.x” vulnerability (CVE-2021-4104). We encourage you to update to the latest version of Log4j 2. We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through this page and our customer communications channels.  

Based on our findings, Google Workspace core services for consumer and paid users are not using Log4j 2 and are not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. See below for a detailed status of the Workspace core services and other related products. 

We recommend Google customers review all third-party apps and solutions  accessing their data and validate the security status of those apps with their respective vendors. More details on managing apps authorized to access Google Workspace data are here and customers can review their list of solutions from the Google Cloud Marketplace by logging into their account. We also recommend validating the security status of any apps developed and deployed by customers within their environments.

Background: The Apache Log4j 2 utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code. 

On December 10, 2021, NIST published a critical Common Vulnerabilities and Exposure alert, CVE-2021-44228. More specifically, Java Naming Directory Interface (JNDI) features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.

What should I do to protect myself? We strongly encourage customers who manage environments containing Log4j 2 to update to the latest version

Google Cloud product and service-specific information

Filter table by status (select one at a time):

Product Name Product Category Status Additional Information
AI Platform Data Labeling Vertex AI, AI Platform, and Accelerators Not Impacted December 21, 2021 Update: AI Platform Data Labeling does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AI Platform Neural Architecture Search (NAS) Vertex AI, AI Platform, and Accelerators Not Impacted December 21, 2021 Update: AI Platform Neural Architecture Search (NAS) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AI Platform Training and Prediction Vertex AI, AI Platform, and Accelerators Not Impacted December 21, 2021 Update: AI Platform Training and Prediction does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Access Approval Identity & Access Not Impacted December 22, 2021 Update: Access Approval does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Access Context Manager Identity & Access Not Impacted December 22, 2021 Update: Access Context Manager does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Access Transparency Security Not Impacted December 21, 2021 Update: Access Transparency does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Actifio Mitigated, Customer Action Needed December 15, 2021 Update: Actifio has identified limited exposure to the Log4j 2 vulnerability and has released a hotfix to address this vulnerability. Visit https://now.actifio.com for the full statement and to obtain the hotfix (available to Actifio customers only). 
Anthos Hybrid and Multi-Cloud Not Impacted

December 21, 2021 Update: Anthos does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Anthos environments to identify components dependent on Log4j 2 and update them to the latest version.

Anthos Config Management Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Config Management does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos Connect Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Connect does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos Hub Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Hub does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos Identity Service Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Identity Service does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos Premium Software Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Premium Software does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos Service Mesh Hybrid and Multi-Cloud Not Impacted December 21, 2021 Update: Anthos Service Mesh does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Anthos on VMware Service Infrastructure Not Impacted December 21, 2021 Update: Anthos on VMware does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. We strongly encourage customers to check VMware recommendations documented in VMSA-2021-0028 and deploy fixes or workarounds to their VMware products as they become available. We also recommend customers review their respective applications and workloads affected by the same vulnerabilities and apply appropriate patches.
Apigee API Management Not Impacted

December 17, 2021 Update: Apigee installed Log4j 2 in its Apigee Edge VMs, but the software was not used and therefore the VMs were not impacted by the issues in CVE-2021-44228 and CVE-2021-45046. Apigee updated Log4j 2 to v.2.16 as an additional precaution. It is possible that customers may have introduced custom resources that are using vulnerable versions of Log4j. We strongly encourage customers who manage Apigee environments to identify components dependent on Log4j and update them to the latest version. Visit the Apigee Incident Report for more information.

December 11, 2021 Update: Apigee has conducted a detailed investigation and we believe that the Edge and OPDK products are not vulnerable to the Log4j 2 vulnerability. Visit the Apigee Incident Report for more information.

App Engine Compute Not Impacted

December 21, 2021 Update: App Engine does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage App Engine environments to identify components dependent on Log4j 2 and update them to the latest version.

AppSheet Mitigated, No Action Needed December 14, 2021 Update: The AppSheet core platform runs on non-JVM (non-Java) based runtimes. At this time, we have identified no impact to core AppSheet functionality. Additionally, we have patched one Java-based auxiliary service in our platform. We will continue to monitor for affected services and patch or remediate as required. If you have any questions or require assistance, contact AppSheet Support
Artifact Registry Developer Tools Not Impacted December 21, 2021 Update: Artifact Registry does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Assured Workloads Security Not Impacted December 21, 2021 Update: Assured Workloads does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML Natural Language AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML Natural Language does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML Tables AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML Tables does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML Translation AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML Translation does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML Video AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML Video does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
AutoML Vision AI and Machine Learning Not Impacted December 21, 2021 Update: AutoML Vision does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
BeyondCorp Enterprise Identity & Access Not Impacted December 22, 2021 Update: BeyondCorp Enterprise does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
BigQuery Databases Not Impacted December 19, 2021 Update: BigQuery on Google Cloud does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
BigQuery Data Transfer Service Data Analytics, Migration Not Impacted December 20, 2021 Update: BigQuery Data Transfer Service does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046.
BigQuery Omni Databases In Progress December 19, 2021 Update: BigQuery Omni, which runs on AWS and Azure infrastructure, does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. We continue to work with AWS and Azure to assess the situation.
Binary Authorization Security Not Impacted December 21, 2021 Update: Binary Authorization does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Certificate Authority Service Security Not Impacted December 23, 2021 Update: Certificate Authority Service does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Certificate Manager Security Not Impacted December 21, 2021 Update: Certificate Manager does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Chronicle Security Not Impacted December 20, 2021 Update: Chronicle on Google Cloud does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Asset Inventory Security Not Impacted December 21, 2021 Update: Cloud Asset Inventory does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Bigtable Databases Mitigated, No Action Needed December 19, 2021 Update: Cloud Bigtable has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers do not need to take any actions.
Cloud Build Developer Tools Not Impacted

December 21, 2021 Update: Cloud Build does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Build environments to identify components dependent on Log4j 2 and update them to the latest version.

Cloud CDN Networking Not Impacted December 20, 2021 Update: Cloud CDN does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Composer Data Analytics Not Impacted December 15, 2021 Update: Cloud Composer does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046. It is possible that customers may have imported or introduced other dependencies via DAGs, installed PyPI modules, plugins, or other services that are using vulnerable versions of Log4j 2. We strongly encourage customers, who manage Composer environments to identify components dependent on  Log4j 2 and update them to the latest version
Cloud Console App Management Tools Not Impacted December 21, 2021 Update: Cloud Console App does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud DNS Networking Not Impacted December 20, 2021 Update: Cloud DNS does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Data Loss Prevention Security Not Impacted December 21, 2021 Update: Cloud Data Loss Prevention does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Debugger Operations Not Impacted December 21, 2021 Update: Cloud Debugger does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Deployment Manager Management Tools Not Impacted December 21, 2021 Update: Cloud Deployment Manager does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Endpoints API Management Not Impacted December 21, 2021 Update: Cloud Endpoints does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud External Key Manager (EKM) Security Not Impacted December 21, 2021 Update: Cloud External Key Manager (EKM) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Functions Serverless Computing Not Impacted

December 21, 2021 Update: Cloud Functions does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Functions environments to identify components dependent on Log4j 2 and update them to the latest version.

Cloud HSM (Hardware Security Module) Security Not Impacted December 21, 2021 Update: Cloud HSM (Hardware Security Module) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Healthcare Cloud AI, Healthcare and Life Sciences Mitigated, Customer Action Required

December 28, 2021 Update: Cloud Healthcare has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent notifications with instructions on December 23, 2021 with the subject line “Important information about three GitHub OSS Healthcare API subcomponents and the Log4j 2 vulnerabilities” and December 27, 2021 with the subject line “Important information about a GitHub OSS Healthcare API subcomponent and the Log4j 2 vulnerabilities.”

Cloud IDS (Intrusion Detection System) Networking Not Impacted December 20, 2021 Update: Cloud IDS (Intrusion Detection System) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Identity Services Identity & Access Not Impacted December 22, 2021 Update: Cloud Identity Services does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Identity Services Google Workspace Not Impacted December 23, 2021 Update: Cloud Identity Services does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Interconnect Networking Not Impacted December 20, 2021 Update: Cloud Interconnect does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Key Management Service Security Not Impacted December 21, 2021 Update: Cloud Key Management Service does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Life Sciences (formerly Google Genomics) Data Analytics Not Impacted December 23, 2021 Update: Cloud Life Sciences (formerly Google Genomics) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Load Balancing Networking Not Impacted December 20, 2021 Update: Cloud Load Balancing does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Logging Operations Not Impacted December 21, 2021 Update: Cloud Logging does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Monitoring Operations Mitigated, Customer Action Needed December 22, 2021 Update: Cloud Monitoring has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers using the BindPlane metrics collector have been provided details and instructions in a notification sent between December 18, 2021 and December 20, 2021 with the subject line containing “Important information about BindPlane Metrics Collector.”
Cloud NAT (Network Address Translation) Networking Not Impacted December 20, 2021 Update: Cloud NAT (Network Address Translation) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Natural Language API AI and Machine Learning Not Impacted December 21, 2021 Update: Cloud Natural Language API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Profiler Operations Not Impacted December 21, 2021 Update: Cloud Profiler does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Router Networking Not Impacted December 20, 2021 Update: Cloud Router does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Run Serverless Computing Not Impacted

December 21, 2021 Update: Cloud Run does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Run environments to identify components dependent on Log4j 2 and update them to the latest version.

Cloud Run for Anthos Serverless Computing Not Impacted

December 21, 2021 Update: Cloud Run for Anthos does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Run for Anthos environments to identify components dependent on Log4j 2 and update them to the latest version.

Cloud SDK Developer Tools Mitigated, No Action Needed December 21, 2021 Update: Cloud SDK has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. Customers do not need to take any actions.
Cloud SQL Databases Not Impacted December 19, 2021 Update: Cloud SQL does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Scheduler Serverless Computing Not Impacted December 21, 2021 Update: Cloud Scheduler does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Shell Management Tools Not Impacted

December 21, 2021 Update: Cloud Shell does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Cloud Shell environments to identify components dependent on Log4j 2 and update them to the latest version.

Cloud Source Repositories Developer Tools Not Impacted December 21, 2021 Update: Cloud Source Repositories does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Spanner Databases Not Impacted December 19, 2021 Update: Cloud Spanner does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Storage Storage Not Impacted December 20, 2021 Update: Cloud Storage does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Tasks Serverless Computing Not Impacted December 21, 2021 Update: Cloud Tasks does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Trace Operations Not Impacted December 21, 2021 Update: Cloud Trace does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Traffic Director Networking Not Impacted December 20, 2021 Update: Cloud Traffic Director does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Translation AI and Machine Learning Not Impacted December 21, 2021 Update: Cloud Translation does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud VPN Networking Not Impacted December 20, 2021 Update: Cloud VPN does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Vision AI and Machine Learning Not Impacted December 21, 2021 Update: Cloud Vision does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Cloud Vision OCR On-Prem Google Cloud Platform Premium Software Not Impacted December 21, 2021 Update: Cloud Vision OCR On-Prem does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
CompilerWorks Data Analytics Not Impacted December 20, 2021 Update: CompilerWorks does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046.
Compute Engine Compute In Progress December 20, 2021 Update: Compute Engine does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046. For those using Google Cloud VMware Engine, we are working with VMware and tracking VMSA-2021-0028.1. We will deploy fixes to Google Cloud VMware Engine as they become available.
Config Connector Google Cloud Platform Software Not Impacted December 22, 2021 Update: Config Connector does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Contact Center AI (CCAI) AI and Machine Learning Not Impacted December 21, 2021 Update: Contact Center AI (CCAI) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Contact Center AI Insights AI and Machine Learning Not Impacted December 21, 2021 Update: Contact Center AI Insights does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Container Registry Developer Tools Not Impacted December 21, 2021 Update: Container Registry does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Currents Google Workspace Not Impacted December 23, 2021 Update: Currents does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Data Catalog Data Analytics Mitigated, No Action Needed December 20, 2021 Update: Data Catalog has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. We strongly encourage customers who introduced their own connectors to identify dependencies on Log4j 2 and update them to the latest version.
Data Fusion Data Analytics Mitigated, Customer Action Needed December 20, 2021 Update: Data Fusion does not use Log4j 2, but uses Dataproc as one of the options to execute pipelines. Dataproc released new images on December 18, 2021 to address the vulnerability in CVE-2021-44228 and CVE-2021-45046. Customers must follow instructions in a notification sent on December 18, 2021 with the subject line “Important information about Data Fusion.”
Database Migration Service (DMS) Databases, Migration Not Impacted December 19, 2021 Update: DMS does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Dataflow Data Analytics Not Impacted December 17, 2021 Update: Dataflow does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046. If you have changed dependencies or default behavior, it is strongly recommended you verify there is no dependency on vulnerable versions Log4j 2. Customers have been provided details and instructions in a notification sent on December 17, 2021 with the subject line “Update #1 to Important information about Dataflow.”
Datalab Data Analytics Not Impacted December 22, 2021 Update: Datalab does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Dataproc Data Analytics Mitigated, Customer Action Needed

December 20, 2021 Update: Dataproc released new images on December 18, 2021 to address the vulnerabilities in CVE-2021-44228 and CVE-2021-45046. Customers must follow the instructions in notifications sent on December 18, 2021 with the subject line “Important information about Dataproc” with Dataproc documentation.

December 17, 2021 Update: Dataproc released new images on December 16, 2021 to address the vulnerabilities in CVE-2021-44228 and CVE-2021-45046. Customers must follow Dataproc documentation to take advantage of the mitigation.

December 15, 2021 Update: Dataproc released new images on December 12, 2021 to address the vulnerability in CVE-2021-44228. Customers must follow Dataproc documentation to take advantage of the mitigation.

Dataproc Metastore Data Analytics Mitigated, Customer Action Needed

December 20, 2021 Update: Dataproc Metastore has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent two notifications with instructions on December 17, 2021 with the subject line “Important information regarding Log4j 2 vulnerability in your gRPC-enabled Dataproc Metastore.”

Datastore Databases Not Impacted December 19, 2021 Update: Datastore does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Datastream Databases Not Impacted December 19, 2021 Update: Datastream does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Deep Learning Containers Vertex AI, AI Platform, and Accelerators Mitigated, Customer Action Needed

December 28, 2021 Update: Deep Learning Containers has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent notifications with instructions on December 23, 2021 with the subject line “Important information about Deep Learning.

Deep Learning VMs Vertex AI, AI Platform, and Accelerators Mitigated, Customer Action Needed

December 24, 2021 Update: Deep Learning VMs has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent notifications with instructions on December 22, 2021 with the subject line “Important information about Deep Learning VM and the Log4j 2 vulnerabilities.

Dialogflow Customer Experience Edition (CX) AI and Machine Learning Not Impacted December 21, 2021 Update: Dialogflow Customer Experience Edition (CX) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Dialogflow Essentials (ES) AI and Machine Learning Not Impacted December 21, 2021 Update: Dialogflow Essentials (ES) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Directions API Google Maps Platform Not Impacted January 7, 2022 Update: Directions API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Distance Matrix API Google Maps Platform Not Impacted January 7, 2022 Update: Distance Matrix API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Document AI AI and Machine Learning Not Impacted December 21, 2021 Update: Document AI does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Event Threat Detection Security Not Impacted December 21, 2021 Update: Event Threat Detection does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Eventarc Serverless Computing Not Impacted December 21, 2021 Update: Eventarc does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Filestore Storage Not Impacted December 21, 2021 Update: Log4j 2 is contained within the Filestore service; there is a technical control in place that mitigates the vulnerabilities in CVE-2021-44228 and CVE-2021-45046. Log4j 2 will be updated to the latest version as part of the scheduled rollout in January 2022.
Firebase Databases, Developer Tools Not Impacted December 21, 2021 Update: Firebase does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Firestore Databases Not Impacted December 19, 2021 Update: Firestore does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Game Servers Media and Gaming Not Impacted December 21, 2021 Update: Game Servers does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Gaming Services Google Maps Platform Not Impacted January 7, 2022 Update: Gaming Services does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Geocoding API Google Maps Platform Not Impacted January 7, 2022 Update: Geocoding API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Geolocation API Google Maps Platform Not Impacted January 7, 2022 Update: Geolocation API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Gmail Google Workspace Not Impacted December 23, 2021 Update: Gmail does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Calendar Google Workspace Not Impacted December 23, 2021 Update: Google Calendar does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Chat Google Workspace Not Impacted December 23, 2021 Update: Google Chat does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud Armor Networking Not Impacted December 20, 2021 Update: Google Cloud Armor does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud Armor Managed Protection Plus Networking Not Impacted December 20, 2021 Update: Google Cloud Armor Managed Protection Plus does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud Directory Sync (GCDS) Google Workspace Related Products Not Impacted

December 30, 2021 Update: Versions 4.4.19 and higher of Google Cloud Directory Sync (GCDS) do not use Log4j 2 and are not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

December 23, 2021 Update: The current version of Google Cloud Directory Sync (GCDS) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Google Cloud Identity-Aware Proxy Identity & Access Not Impacted December 22, 2021 Update: Google Cloud Identity-Aware Proxy does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud Search Google Workspace Not Impacted December 23, 2021 Update: Google Cloud Search does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud Threat Intelligence for Chronicle Security Not Impacted December 23, 2021 Update: Google Cloud Threat Intelligence for Chronicle does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Cloud VMware Engine Compute In Progress December 11, 2021 Update: We are working with VMware and tracking VMSA-2021-0028.1. We will deploy fixes as they become available.
Google Contacts Google Workspace Not Impacted December 23, 2021 Update: Google Contacts does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Docs Google Workspace Not Impacted December 23, 2021 Update: Google Docs does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Drive Google Workspace Not Impacted December 23, 2021 Update: Google Drive does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Forms Google Workspace Not Impacted December 23, 2021 Update: Google Forms does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Groups for Business Google Workspace Not Impacted December 23, 2021 Update: Google Groups for Business does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Hangouts Google Workspace Not Impacted December 23, 2021 Update: Google Hangouts does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Jamboard Google Workspace Not Impacted December 23, 2021 Update: Google Jamboard does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Keep Google Workspace Not Impacted December 23, 2021 Update: Google Keep does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Kubernetes Engine Compute Not Impacted

December 21, 2021 Update: Google Kubernetes Engine does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Google Kubernetes Engine environments to identify components dependent on Log4j 2 and update them to the latest version.

Google Meet Google Workspace Not Impacted December 23, 2021 Update: Google Meet does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Sheets Google Workspace Not Impacted December 23, 2021 Update: Google Sheets does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Sites Google Workspace Not Impacted December 23, 2021 Update: Google Sites does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Slides Google Workspace Not Impacted December 23, 2021 Update: Google Slides does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Tasks Google Workspace Not Impacted December 23, 2021 Update: Google Tasks does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Vault Google Workspace Not Impacted December 23, 2021 Update: Google Vault does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Voice Google Workspace Not Impacted December 23, 2021 Update: Google Voice does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Google Workspace Assured Controls Google Workspace Not Impacted December 23, 2021 Update: Google Workspace Assured Controls does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Healthcare Data Engine (HDE) Healthcare and Life Sciences Not Impacted December 21, 2021 Update: Healthcare Data Engine (HDE) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Human-in-the-Loop AI AI and Machine Learning Not Impacted December 21, 2021 Update: Human-in-the-Loop AI does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Identity & Access Management (IAM) Identity & Access Not Impacted December 22, 2021 Update: Identity & Access Management (IAM) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Identity Platform Management Tools Not Impacted December 22, 2021 Update: Identity Platform does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
IoT Core Internet of Things (IoT) Not Impacted December 21, 2021 Update: IoT Core does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Key Access Justifications (KAJ) Security Not Impacted December 21, 2021 Update: Key Access Justifications (KAJ) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Kf Google Cloud Platform Software Not Impacted

December 22, 2021 Update: Kf does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Kf environments to identify components dependent on Log4j 2 and update them to the latest version.

Looker Data Analytics Mitigated, Customer Action Needed

December 30, 2021 Update:  For Looker-hosted instances, we have deployed updated third-party driver software that is not vulnerable to CVE-2021-44228 and CVE-2021-45046.

For Looker customers who self-manage their Looker instances, we have provided instructions, through their technical contacts, to download the latest published jars that contain updates to the third-party driver dependencies. Customers who have questions or require assistance, please visit Looker Support.

December 18, 2021 Update: Looker-hosted instances have been updated to a Looker version with Log4j  v2.16. Looker is currently working with third-party driver vendors to evaluate the impact of the Log4j vulnerability. As Looker does not enable logging for these drivers in Looker-hosted instances, no messages are logged. We conclude that the vulnerability is mitigated. We continue to actively work with the vendors to deploy a fix for these drivers.

Looker customers who self-manage their Looker instances have received instructions through their technical contacts on how to take the necessary steps to address the vulnerability. Looker customers who have questions or require assistance, please visit Looker Support.

Managed Service for Microsoft Active Directory (AD) Identity & Access Not Impacted December 22, 2021 Update: Managed Service for Microsoft Active Directory (AD) does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps Elevation API Google Maps Platform Not Impacted January 7, 2022 Update: Maps Elevation API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps Embed API Google Maps Platform Not Impacted January 7, 2022 Update: Maps Embed API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps JavaScript API Google Maps Platform Not Impacted January 7, 2022 Update: Maps JavaScript API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps SDK for Android Google Maps Platform Not Impacted January 7, 2022 Update: Maps SDK for Android does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps SDK for iOS Google Maps Platform Not Impacted January 7, 2022 Update: Maps SDK for iOS does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps Static API Google Maps Platform Not Impacted January 7, 2022 Update: Maps Static API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Maps URLs Google Maps Platform Not Impacted January 7, 2022 Update: Maps URLs does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Media Translation API AI and Machine Learning Not Impacted December 21, 2021 Update: Media Translation API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Memorystore Databases Not Impacted December 19, 2021 Update: Memorystore does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Migrate for Anthos Google Cloud Platform Software Not Impacted December 21, 2021 Update: Migrate for Anthos does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Migrate for Compute Engine (M4CE) Compute, Migration Mitigated, Customer Action Needed

December 19, 2021 Update: M4CE has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. M4CE has been updated to version 4.11.9 to address the vulnerabilities. A notification was sent to customers on December 17, 2021 with subject line “Important information about CVE-2021-44228 and CVE-2021-45046” for M4CE V4.11 or below. If you are on M4CE v5.0 or above, no action is needed.

December 15, 2021 Update: M4CE has been updated to mitigate the issues identified in CVE-2021-44228. A fix for M4CE v4.11 (or below) has been provided in a notification sent to customers on December 13, 2021 with subject line “Important information about CVE-2021-44228” for M4CE V4.11 or below. If you are on M4CE v5.0 or above, no action is needed.

Network Connectivity Center Networking Not Impacted December 20, 2021 Update: Network Connectivity Center does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Network Intelligence Center Networking Not Impacted December 20, 2021 Update: Network Intelligence Center does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Network Service Tiers Networking Not Impacted December 20, 2021 Update: Network Service Tiers does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Notebooks Vertex AI, AI Platform, and Accelerators Mitigated, Customer Action Needed

December 24, 2021 Update: Notebooks has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent notifications with instructions on December 22, 2021 with the subject line “Important information about Vertex AI Workbench and the Log4j 2 vulnerabilities.

On-demand Rides & Deliveries solution Google Maps Platform Not Impacted January 7, 2022 Update: On-demand Rides & Deliveries solution does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Persistent Disk Storage Not Impacted December 20, 2021 Update: Persistent Disk does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Places API Google Maps Platform Not Impacted January 7, 2022 Update: Places API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Places Library, Maps JavaScript API Google Maps Platform Not Impacted January 7, 2022 Update: Places Library, Maps JavaScript API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Places SDK for Android Google Maps Platform Not Impacted January 7, 2022 Update: Places SDK for Android does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Places SDK for iOS Google Maps Platform Not Impacted January 7, 2022 Update: Places SDK for iOS does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Policy Intelligence Identity & Access Not Impacted December 22, 2021 Update: Policy Intelligence does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Pub/Sub Data Analytics Not Impacted December 16, 2021 Update: Pub/Sub does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046.
Pub/Sub Lite Data Analytics Not Impacted December 16, 2021 Update: Pub/Sub Lite does not use Log4j 2 and is not impacted by the issues in CVE-2021-44228 and CVE-2021-45046. Customers may have introduced a separate logging solution that uses Log4j 2. We strongly encourage customers who manage Pub/Sub Lite environments to identify components dependent on Log4j 2 and update them to the latest version.
reCAPTCHA Enterprise Security Not Impacted December 21, 2021 Update: reCAPTCHA Enterprise does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Recommendations AI AI and Machine Learning Not Impacted December 21, 2021 Update: Recommendations AI does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Recommenders Management Tools Not Impacted December 22, 2021 Update: Recommenders does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Resource Manager API Identity & Access Not Impacted December 22, 2021 Update: Resource Manager API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Retail Search Industry Solutions Not Impacted December 21, 2021 Update: Retail Search does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Risk Manager Security Not Impacted December 21, 2021 Update: Risk Manager does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Roads API Google Maps Platform Not Impacted January 7, 2022 Update: Roads API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Secret Manager Security Not Impacted December 21, 2021 Update: Secret Manager does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Security Command Center Security Not Impacted December 21, 2021 Update: Security Command Center does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Service Directory Networking Not Impacted December 20, 2021 Update: Service Directory does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Service Infrastructure Management Tools Not Impacted December 21, 2021 Update: Service Infrastructure does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Speaker ID AI and Machine Learning Not Impacted December 21, 2021 Update: Speaker ID does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Speech-to-Text AI and Machine Learning Not Impacted December 21, 2021 Update: Speech-to-Text does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Speech-to-Text On-Prem Google Cloud Platform Premium Software Not Impacted December 21, 2021 Update: Speech-to-Text On-Prem does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Storage Transfer Service Storage, Migration Not Impacted December 20, 2021 Update: Storage Transfer Service does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Street View Static API Google Maps Platform Not Impacted January 7, 2022 Update: Street View Static API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Talent Solution Industry Solutions Not Impacted December 21, 2021 Update: Talent Solution does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Text-to-Speech AI and Machine Learning Not Impacted December 21, 2021 Update: Text-to-Speech does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Time Zone API Google Maps Platform Not Impacted January 7, 2022 Update: Time Zone API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Transcoder API Media and Gaming Not Impacted December 21, 2021 Update: Transcoder API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Transfer Appliance Storage, Migration Not Impacted December 21, 2021 Update: Transfer Appliance does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
VPC Service Controls Security Not Impacted December 23, 2021 Update: VPC Service Controls does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Vertex AI Vertex AI, AI Platform, and Accelerators Not Impacted December 24, 2021 Update: Vertex AI does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Vertex AI Workbench Vertex AI, AI Platform, and Accelerators Mitigated, Customer Action Needed

December 24, 2021 Update: Vertex AI Workbench has been updated to mitigate the issues identified in CVE-2021-44228 and CVE-2021-45046. 

Customers who need to take actions were sent notifications with instructions on December 22, 2021 with the subject line “Important information about Vertex AI Workbench and the Log4j 2 vulnerabilities.

Video Intelligence API AI and Machine Learning Not Impacted December 21, 2021 Update: Video Intelligence API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Virtual Private Cloud Networking Not Impacted December 20, 2021 Update: Virtual Private Cloud does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
VirusTotal Security Not Impacted December 23, 2021 Update: VirusTotal does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Web Risk API User Protection Services Not Impacted December 22, 2021 Update: Web Risk API does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Web Security Scanner Security Not Impacted December 21, 2021 Update: Web Security Scanner does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.
Workflows Serverless Computing Not Impacted December 21, 2021 Update: Workflows does not use Log4j 2 and is not impacted by the issues identified in CVE-2021-44228 and CVE-2021-45046.

Information on this page is based on findings in our ongoing investigations.