TL;DR: Betty Blocks utilizes two components that rely on Log4j. Both components are not vulnerable.
On 10th of December Betty Blocks was notified about CVE-2021-44228 by various sources. On the same day we performed an assessment on which components in the Betty Blocks platform stack were affected by this vulnerability.
Our only Java component in the Betty Blocks platform stack are Fusionauth and ElasticSearch which are not vulnerable as stated in this blogpost: https://fusionauth.io/blog/2021/12/10/log4j-fusionauth/.
We have immediately set up a number of monitoring rules to gain insight in the potential for abuse. Up to this date, although various sources have tried to exploit CVE-2021-44228 - and the later reported CVE-2021-45046 - there has been no sign of success.
The Betty Blocks operations team, in cooperation with our information security staff, is closely monitoring the developments around the two reported vulnerabilities and will decide - if more information becomes available - whether additional mitigation measures need to be put in place.
Due to the high number of inquiries we receive about these vulnerabilities, our operations and security staff is not able to respond to every request individually.
On behalf of the Betty Blocks Operations staff,
On behalf of the Betty Blocks Security staff,
Jeroen Bulters
CISO