On December 9, 2021, we received intelligence of the Log4j2 vulnerability (CVE-2021-44228) and initiated investigations.
We identified a single service, an internal logging tool, that was using the vulnerable library and have applied a configuration patch to mitigate the risk on December 14, 2021.
No compromise has been observed in any of our environments. Multiple other protections are always in place to further mitigate risks such as these.
We continue to monitor and take prompt action on information provided by NCSC.