Is Serverless vulnerable to Log4shell?

My company would like to understand Serverless’s response to the Log4j vulnerability. Can you answer the following questions or point me to a statement that does?

  1. Were Serverless’s applications affected by Log4shell? Was any infrastructure affected?
  2. What patching or mitigations have you implemented?
  3. Have you experienced any compromise of your systems or infrastructure?

Hi Isaac. Currently, Serverless does not use Java (and therefore Log4j) in any capacity in our own SaaS solutions such as Serverless Dashboard or Serverless Cloud. With regard to the Serverless Framework, we have made recent releases with updated versions of Log4j for the Java based templates that may be used when creating new Java based services.

Anyone deploying Java based Serverless Framework services should naturally make sure that they update things as necessary in their own projects; an aspect we have no control over and would depend on the individual developers and teams to correct themselves.