To our customers:
As you may be aware, the Log4j zero-day vulnerability NVD - CVE-2021-44228 first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers.
Bluescape can confirm that we do not use the log4j library in our code base but as a matter of due diligence and precaution, we temporarily disabled customer analytics due to a potentially vulnerable open-source analytics library and successfully deployed a hotfix on Monday, December 13th.
Based on internal and external forensic analysis with our security partners, there are no indications of improper access or data compromise of any kind. That said, Bluescape will continue to monitor the aftermath of the log4j vulnerability in order to stay on top of any alerts that we may receive from third parties that require action.
If you have any further questions, please feel free to contact Bluescape Security at: security@bluescape.com
Sincerely,
Mark Willis
CISO, Bluescape