On December 10th, a security vulnerability was reported in a widely used logging library, Log4j, which is used by Apache web servers, and other Apache services. Details about this vulnerability can be found here and here. In short, we discovered that it’s easy for anyone to exploit, and can be launched remotely. Due to the universal nature of Log4j, this situation was classified as a critical priority for our security team.
Within hours of reading about the vulnerability, we mobilized Bazaarvoice’s security and engineering teams to respond to the threat. First, a comprehensive assessment of all our products was performed to determine where this vulnerability may exist, and, once identified, teams swiftly applied the appropriate resolutions to address it.
In addition to this, we leveraged several of our security partnerships to assist with its efforts. This included deployment of firewall rules to identify and block traffic associated with the vulnerability, as well as signatures used by solutions to identify activity on hosts or cloud infrastructure which could be associated with an attack.
We’re continuing to reach out to partners who use Bazaarvoice products and services, so we can assess their response and determine if steps need to be taken to address potential risk.
At Bazaarvoice, we value the trust our clients place upon us and we work hard everyday to earn that trust. Rest assured that we will continue to closely monitor this situation and take the steps necessary to ensure the products and services we provide, and data we are entrusted with, remain well secured.
As always, inquiries about this or any other security related matters can be directed to security@bazaarvoice.com.
Thank you — the Bazaarvoice team.