Alert: DocuSign update on Log4j2 vulnerability

[UPDATED: December 27, 2021] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

As of December 27, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity. As a federal contractor, we are also complying with Emergency Directive 22-02 released on December 17.

DocuSign has engaged critical suppliers for a comprehensive risk assessment and will work with our suppliers to confirm they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement or require of suppliers additional remediation actions as appropriate. 

As of December 27, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.  This is an ongoing product security incident and product status can change as more information becomes available.

PRODUCT STATUS
eSignature Product is affected by CVE-2021-44228, CVE-2021-45046 scoped to a beta pre-release feature for a single customer who had been previously informed.  All configurations have been treated and are not vulnerable.
CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable
InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

 

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105  and CVE-2021-4104), whereby the remote code execution zero days (CVE-2021-44228 and CVE-2021-45046) allow malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers. DocuSign is responding accordingly and DocuSign teams have active plans to remediate CVE-2021-4104 and CVE-2021-45105 in alignment with established internal processes. We will continue to monitor threat intelligence for further prioritization as information becomes available. The Log4j library is used extensively in Java-based solutions industry-wide and are not limited to DocuSign services.

Please note, information shared in Trust alerts are intended for general audience only.  Additional information may be provided to customers regarding their affected DocuSign Service configurations beyond Trust alerts, including through Support notices.   

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue. Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

 

[POSTED: December 23, 2021] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

As of December 23, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity. As a federal contractor, we are also complying with Emergency Directive 22-02 released on December 17.

DocuSign has engaged critical suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

As of December 23, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

PRODUCT STATUS
eSignature Product is not affected by CVE-2021-44228, CVE-2021-45046.
CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

 

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105  and CVE-2021-4104), whereby the remote code execution zero days (CVE-2021-44228 and CVE-2021-45046) allow malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers. DocuSign is responding accordingly and DocuSign teams have active plans to remediate CVE-2021-4104 and CVE-2021-45105 in alignment with established internal processes. We will continue to monitor threat intelligence for further prioritization as information becomes available. The Log4j library is used extensively in Java-based solutions industry-wide and are not limited to DocuSign services.

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue. Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

 

[POSTED: December 17, 2021]DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

As of December 17, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity.  As a federal contractor, we are also complying with Emergency Directive 22-02 released on 12/17.

DocuSign has engaged all of our suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

As of 12/17, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

Product Status
eSignature Product is not affected by CVE-2021-44228, CVE-2021-45046.
CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

 

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

Please visit the DocuSign Trust Center for the latest updates regarding this alert.