Alerts and updates

Subscribe using the DocuSign Trust Center Alerts RSS feed URL: https://www.docusign.com/trust/alerts/feed.
Add an RSS reader extension to your browser (Chrome, Firefox), or enable via Outlook on a PC.

  • The DocuSign CLM and CLM.CM May 22.4 Product Release will be deployed to the EU11, EU21 Production environments on Friday, May 13, 2022 between 1:30 PM and 5:30 PM, U.S Central Time, and to the NA11, NA21, US11, US12 Production environments between 9:00 PM and Midnight, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Release Notes for this upcoming release can be found on the DocuSign Support Center.

    Please contact Technical Support if you have any questions.

  • DocuSign has been monitoring its infrastructure and product environments for potential impact from the Spring4Shell vulnerability (CVE-2022-22965) since it became public on March 29. Our dedicated security vulnerability management team is actively investigating affected components, monitoring for affected configurations, and remediating and mitigating impact. 

    The information regarding this vulnerability is still developing and the attack vectors are continuing to evolve. As such, we will continue to assess new information as it becomes available. Based on our current information:

    PRODUCT STATUS
    eSignature The DocuSign eSignature service is not affected.
    CLM The DocuSign CLM service is not affected.
    Insight The DocuSign Insight service is not affected.
    Legacy LiveOak The DocuSign Legacy LiveOak service is not affected.
    Rooms The DocuSign Rooms service is not affected.
    Notary The DocuSign Notary service is not affected.

    We recommend our customers visit the DocuSign Trust Center (https://www.docusign.com/trust) for any key updates we may share further on this matter.

  • The DocuSign CLM and CLM.CM May 22.4 Product Release will be deployed to the UAT environment on Thursday, April 28, 2022 between 8:00 PM and 11:00 PM, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Announcements for this upcoming release can be found on the DocuSign Support Center. Please continue to check the Support Center for enhancements and fixes that will be posted before UAT deployment. 

    Please contact Technical Support if you have any questions.

  • The DocuSign CLM and CLM.CM April 22.3 Product Release will be deployed to the EU11, EU21 Production environments on Friday, April 1, 2022, between 1:30 PM and 5:30 PM, U.S Central Time, and to the NA11, NA21, US11, US12 Production environments between 9:00 PM and Midnight, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Release Notes for this upcoming release can be found on the DocuSign Support Center.

    Please contact Technical Support if you have any questions.

  • The DocuSign CLM and CLM.CM April 22.3 Product Release will be deployed to the UAT environment on Thursday, March 17, 2022, between 8:00 PM and 11:00 PM, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Announcements for this upcoming release can be found on the DocuSign Support Center. Please continue to check the Support Center for enhancements and fixes that will be posted before UAT deployment. 

    Please contact Technical Support if you have any questions.

  • DocuSign has updated the subprocessor lists for our products and services: https://www.docusign.com/trust/privacy/subprocessors-list.

    Please contact privacy@docusign.com for any questions regarding this subprocessor information.

  • Please see the DocuSign Trust Center page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new DocuSign SSO Certificate DEMO and PROD offer and force schedule dates.


     
  • 1. The NA Connect certificate offer was updated to March 8, 2022

    2. The new Signed By certificate offer and force dates are now published

    2. The new Client certificate offer and force dates are now published

    Please see the DocuSign trust page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new certificate and “Force” scheduled date.


     
  • Please see the DocuSign Trust Center page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new DocuSign SSO Certificate DEMO and PROD offer and force schedule dates.


     
  • The DocuSign CLM and CLM.CM February 22.2 Product Release will be deployed to the EU11, EU21 Production environments on Friday, February 18, 2022, between 1:30 PM and 5:30 PM, U.S Central Time, and to the NA11, NA21, US11, US12 Production environments between 9:00 PM and Midnight, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Release Notes for this upcoming release can be found on the DocuSign Support Center.

    Please contact Technical Support if you have any questions.

  • DocuSign has been actively working on assessing risk and treating affected assets since the Log4j vulnerabilities were initially disclosed on the morning of December 9.

    As of January 31, DocuSign continues to observe no indicators of compromise in our environment from Log4j. DocuSign has previously deployed and continues to enhance countermeasures consistent with published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity. 

    DocuSign has completed a 3rd party supply chain risk assessment with its critical suppliers to confirm that they have mitigations in place and are updating their software or services to remediate this issue. As new information surfaces, we will require suppliers to implement additional remediation actions as appropriate. 

    As of January 31, DocuSign can confirm that the following services have been addressed and are not vulnerable to the initial Log4j2 vulnerabilities (CVE-2021-44228 and CVE-2021-45046).  Two additional vulnerabilities (CVE-2021-45105 and CVE-2021-44832), both medium severity, are being addressed through normal patching cycles.  

    Product status can change as more information becomes available.

    PRODUCT STATUS
    eSignature Product is affected by CVE-2021-44228, CVE-2021-45046 scoped to a beta pre-release feature for a single customer who had been previously informed.  All configurations have been treated and are not vulnerable. 
    CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    Insight Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    Legacy LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
    Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    Notary Product is affected by CVE-2021-44228, CVE-2021-45046 scoped to a beta pre-release feature for a single customer who had been previously informed.  All configurations have been treated and are not vulnerable.

     

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities, whereby the remote code execution zero days (CVE-2021-44228 and CVE-2021-45046) allow malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers. DocuSign is responding accordingly and DocuSign teams have active plans to remediate CVE-2021-4104,  CVE-2021-45105 and CVE-2021-44832 in alignment with established internal processes. We will continue to monitor threat intelligence for further prioritization as information becomes available. The Log4j library is used extensively in Java-based solutions industry-wide and is not limited to DocuSign services.

    Please note, information shared in Trust alerts are intended for a general audience only.  Additional information may be provided to customers regarding their affected DocuSign Service configurations beyond Trust alerts, including through Support notices.   

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue. Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

  • Several updates have been made to Public Certificates. 

    1. The new site SSL certificate for DEMO, EU, and CA Certificate is now published. 

    2. The new account server SSL certificate offer and force dates are now published.

    3. The new DocuSign Express Service offer date was updated.

    Please see the DocuSign trust page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new certificate and  “Force” scheduled date.

Pages