We are aware that the zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021. This exploit results in remote code execution (RCE).
Render does not use Log4j, and we have audited our codebase and dependencies to confirm that the Render platform is not affected by this vulnerability.
Render’s platform and all user services are behind Cloudflare’s WAF (Web Application Firewall). Cloudflare has addressed the CVE and their official communication is available here. Render has confirmed this and updated the firewall rules for all our users. While these protections will help mitigate the vulnerability, we strongly recommend upgrading your applications and dependencies as soon as possible.