Following a thorough investigation we have been able to confirm that there has been no compromise to our systems as a result of the reported vulnerability. Our engineering team have identified and patched all instances on the impacted library within our infrastructure - this means we are no longer affected by CVE-2021-44228.

We are aware that a second vulnerability (CVE-2021-45046) was disclosed after it was found that some of the remediations to address CVE-2021-44228 were not complete in certain configurations. However we can confirm that we are not impacted by this vulnerability and the impacted Log4J version (2.15) is not in use at Pusher. 

To summarise: Pusher has implemented mitigations to ensure we are protected against both CVE-2021-44228 and CVE-2021-45046. We have confirmed there were no compromises caused by the vulnerabilities.

Update Jan 2022: 

We have also been made aware of CVE-2021-45105. We are able to report that Pusher is not impacted as we do not, and have not, used the impacted Log4J version.