Last weekend, Google have come up with the Apache Log4j vulnerability i.e. Log4Shell on its products and services. On the blogpost, google defines any potential impact on Google products and services and is focused on protecting its users and customers by CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105.
Regarding Android Google says- Till today, there is no impact found in the Android Platform or Enterprise. So, there is no security update for android users or platforms but search giants do recommend every customer ensure that the latest security updates are applied to their devices.
Chrome OS and Chrome Browser: Both Chrome OS and browser's infrastructure and its devnet don't use Log4j vulnerability version.
Google Cloud: Google cloud seems to be affected by Log2Shell but in the different workspaces and specific conditions. Google has already published a dedicated advisory dedicated to updating customers on the status of GCP and Workspace products and services.
Google Marketing Platform with Google Ads- Regarding the Google marketing platform, the company says that is not using versions of Log4j affected by the vulnerability. Even for YouTube also, google mentioned video-sharing platform is not affected.
The Apache Log4j 2 utility is a commonly used component for logging requests. On December 9, 2021, a vulnerability was reported that could allow a system running Apache Log4j 2 version 2.15 or below to be compromised and allow an attacker to execute arbitrary code.
The code execution bug is been tracked as CVE-2021-44228 and the Apache team released a couple of security updates for the Log4j2 utility to fix the CVE-2021-45046 (which is another code execution bug, by bypassing CVE-2021-44228 fixes) and CVE-2021-45105 (is a DoS vulnerability).
More specifically, Java Naming Directory Interface (JNDI) features used in the configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI-related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from remote servers when message lookup substitution is enabled.