CVE-2021-44228 is a really bad one. Are our Bubble apps vulnerable? Is there anything we should do to mitigate, like provisioning a Web Application Firewall in front of our Bubble apps?
4 Likes
I am very interested in this as well. What is Bubble doing about it? Who is in charge of security at Bubble. Can we get their opinion on this and your action plan pls and ty?
2 Likes
Hey,
I don’t know a thing about this topic.
Can someone explain what is this?
Thanks in advance 
1 Like
We don’t use log4j for our logging so we don’t believe we are affected, and bubble apps are almost certainly not affected. Will update if we learn anything further but we don’t expect any impact
12 Likes
Cloudlare apps utilizing log4j already have an optional patch.
https://blog.cloudflare.com/cve-2021-44228-log4j-rce-0-day-mitigation/
1 Like
Is that double negative intentional? 
2 Likes
unintentional, and fixed! sorry, was typing on my phone…
3 Likes
Hey Josh…thanks for responding about the log4j issue.
I am under a lot of pressure regarding another security issue with Bubble. If I don’t find a solution, we might be forced to bail on 4 months of development on the Bubble platform. It is regarding your “Run As” feature. My understanding is that anyone from your team can run as any user, including my customers. To compound this, I understand there is no log of when someone “Run As” another user. I am failing my security audit because of this and don’t have any solution. Other multi-tenant platforms have addressed this issue by giving the User, or App Developer, the control of who has access. For example, Salesforce has a “Grant Access” feature. This enables the user to grant access to their company sysadmin or to Salesforce support for a limited time period (2 or 24 hours). Another solution might be to give the option to deactivate “Run As” at the app level. Can you comment on this please. Seems like a major privacy gap that can be easily fixed. Am I missing something here. Thanks
3 Likes
Excellent, thank you for addressing it. Checking this one off my list. It’s a busy morning checking all the infrastructure and figuring out what needs to be patched.
I’d reach out to Bubble about it directly at Contact | Bubble since the forums aren’t monitored 24/7.
1 Like
I am new to bubble and just putting together a brief to have Zeroqode quote to develop in bubble, is this correct? @josh
@johnny is correct that in general, the best way to get a question like this answered is to reach out directly – we do read the forum but not always at a thread-by-thread level. (Tagging @bubble on the forum will send a notification to our support team, and is more reliable than tagging an individual Bubble teammember)
@ianhayes2121 – we do currently log whenever a Bubble employee accesses a user application, and whenever the “run as…” feature is used (whether by a Bubble employee or app admin). Currently, these logs are internal and not exposed to users, but we can audit them in the event of a security incident. We do plan on building out something along the lines of Salesforce’s “Grant Access” feature, but don’t yet have a timeline for releasing this.
5 Likes