Alerts and updates

Subscribe using the DocuSign Trust Center Alerts RSS feed URL: https://www.docusign.com/trust/alerts/feed.
Add an RSS reader extension to your browser (Chrome, Firefox), or enable via Outlook on a PC.

  • On January 26, DocuSign security and engineering teams received intelligence of the PwnKit vulnerability (CVE-2021-4034) and initiated investigations. DocuSign is performing necessary patching or mitigating as vulnerable configurations are identified.

    As of January 31, 2021, DocuSign has observed no indicators of compromise in the environment, or to customers.

    DocuSign continues to investigate and monitor the situation as it evolves with any new information.

  • The DocuSign CLM and CLM.CM February 22.2 Product Release will be deployed to the UAT environment on Thursday, February 3, 2022, between 8:00 PM and 11:00 PM, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Announcements for this upcoming release can be found on the DocuSign Support Center. Please continue to check the Support Center for enhancements and fixes that will be posted before UAT deployment. 

    Please contact Technical Support if you have any questions.

  • Please see the DocuSign trust page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new DEMO certificate and  “Force” scheduled date.
  • Please see the DocuSign trust page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new DEMO certificate availability, “Offer” schedule date.
  • [UPDATED: January 14, 2022] The DocuSign CLM Technology Team will postpone the scheduled maintenance on January 13, 2022 until a later date. We apologize for any inconvenience. 

    Please contact DocuSign CLM Technical Support with any questions.

     

    [POSTED: January 5, 2022] The DocuSign CLM Technology Team will be conducting scheduled maintenance between 9:00 PM and midnight EST on the following dates for the following environments:

    January 11, 2022: US12 Production

    January 12, 2022: US11 Production

    January 13, 2022: US11 Production

    During this time customers on the affected instances may experience moments of brief inaccessibility to their account.

    Please contact DocuSign CLM Technical Support with any questions.

  • [UPDATED: January 5, 2022, 3:37pm PST] The NA21 public IP subnet change has been postponed to Friday, January 21st, 2022 at 10pm CT from January 8th. The old subnet (69.79.142.0/24) will remain active until then. We apologize for any inconvenience.

    [POSTED: January 4, 2022, 9:09am PST] On Saturday, January 8th, 2022 at 10pm CST the DocuSign CLM Technology Team will be changing all customer-facing IP addresses for the NA21 PRODUCTION environment.

    As part of this change we will be migrating the NA21 Production environment over to DocuSign’s core backbone for internet access on January 8th between 10pm and midnight. During this period there will be a brief window of inaccessibility to NA21 Production lasting for about 3-5mins.

    The change involves updating all customer-facing IP addresses for Production from 69.79.142.0/24 to 209.112.107.0/25.

    Customers on these instances who are currently allowlisting 69.79.142.0/24 are advised that they will need to work with their IT teams to update their IP allowlisting settings to allow the new range (209.112.107.0/25) or they may encounter issues accessing their environments on the respective dates.


     
  • The DocuSign CLM and CLM.CM January 22.1 Product Release will be deployed to the EU11, EU21 Production environments on Friday, January 7, 2022 between 1:30 PM and 5:30 PM, U.S Central Time, and to the NA11, NA21, US11, US12 Production environments between 9:00 PM and Midnight, US Central Time. We do not anticipate any impact to platform availability or access during this time.

    Release Notes for this upcoming release can be found on the DocuSign Support Center.

    Please contact Technical Support if you have any questions.

  • [UPDATED: December 27, 2021] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

    As of December 27, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity. As a federal contractor, we are also complying with Emergency Directive 22-02 released on December 17.

    DocuSign has engaged critical suppliers for a comprehensive risk assessment and will work with our suppliers to confirm they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement or require of suppliers additional remediation actions as appropriate. 

    As of December 27, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.  This is an ongoing product security incident and product status can change as more information becomes available.

    PRODUCT STATUS
    eSignature Product is affected by CVE-2021-44228, CVE-2021-45046 scoped to a beta pre-release feature for a single customer who had been previously informed.  All configurations have been treated and are not vulnerable.
    CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable
    InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
    Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

     

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105  and CVE-2021-4104), whereby the remote code execution zero days (CVE-2021-44228 and CVE-2021-45046) allow malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers. DocuSign is responding accordingly and DocuSign teams have active plans to remediate CVE-2021-4104 and CVE-2021-45105 in alignment with established internal processes. We will continue to monitor threat intelligence for further prioritization as information becomes available. The Log4j library is used extensively in Java-based solutions industry-wide and are not limited to DocuSign services.

    Please note, information shared in Trust alerts are intended for general audience only.  Additional information may be provided to customers regarding their affected DocuSign Service configurations beyond Trust alerts, including through Support notices.   

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue. Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 23, 2021] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

    As of December 23, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity. As a federal contractor, we are also complying with Emergency Directive 22-02 released on December 17.

    DocuSign has engaged critical suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

    As of December 23, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

    PRODUCT STATUS
    eSignature Product is not affected by CVE-2021-44228, CVE-2021-45046.
    CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
    Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

     

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105  and CVE-2021-4104), whereby the remote code execution zero days (CVE-2021-44228 and CVE-2021-45046) allow malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers. DocuSign is responding accordingly and DocuSign teams have active plans to remediate CVE-2021-4104 and CVE-2021-45105 in alignment with established internal processes. We will continue to monitor threat intelligence for further prioritization as information becomes available. The Log4j library is used extensively in Java-based solutions industry-wide and are not limited to DocuSign services.

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue. Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 17, 2021]DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

    As of December 17, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity.  As a federal contractor, we are also complying with Emergency Directive 22-02 released on 12/17.

    DocuSign has engaged all of our suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

    As of 12/17, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

    Product Status
    eSignature Product is not affected by CVE-2021-44228, CVE-2021-45046.
    CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
    Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

     

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

    Please visit the DocuSign Trust Center for the latest updates regarding this alert.

  • On Wednesday, December 29, 7:00 PM CT, DocuSign CLM/SpringCM will be upgrading the certificate used to sign outgoing SAML requests in our UAT environment.

    On Friday, January 7, 2022, 7:00 PM CT, we will be performing the same exercise in our PROD environment.

    If you are using SSO with DocuSign CLM/SpringCM in your CLM.CM account and your Identity Provider is set to validate the signature on incoming SAML requests, but is not setup to monitor and auto update the certificate via DocuSign CLM/SpringCM’s service provider metadata, you will need to upgrade the certificate manually.

    SSO access to DocuSign CLM/SpringCM will not function with your old certificates after each rollover date listed above. SSO access to DocuSign eSignature will NOT be impacted. 

    New certificates are available via public download here.

    Please contact DocuSign CLM Technical Support with any questions.

  • The new DocuSign Express email service availability and deployment schedule for 2022 has been published.

    Please see the DocuSign Trust Center page at https://www.docusign.com/trust/compliance/public-certificates for further details on the new certificate availability, "Offer" and "Force" schedule dates.

  • [UPDATED: December 17, 2021, 5:19 PM PST] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

    As of December 17, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity.  As a federal contractor, we are also complying with Emergency Directive 22-02 released on 12/17.

    DocuSign has engaged all of our suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

    As of 12/17, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

    Product Status
    eSignature Product is not affected by CVE-2021-44228, CVE-2021-45046.
    CLM Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    InSight Product is affected CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.
    LiveOak Product is not affected by CVE-2021-44228, CVE-2021-45046.
    Rooms Product is affected by CVE-2021-44228, CVE-2021-45046.  All configurations have been treated and are not vulnerable.

     

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

    Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 16, 2021, 2:57 PM PST] As of December 16, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through enhanced monitoring and blocking of suspicious activity. We continue to reach out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities.

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

    Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 15, 2021, 4:12 PM PST] As of December 15, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through enhanced monitoring and blocking of suspicious activity. We continue to reach out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities.

    DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

    We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

    Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 14, 2021, 8:25 PM PST] DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to deploy countermeasures consistent with recently published CISA guidance. DocuSign continues to monitor information provided by CISA, threat intelligence and other vendors and will respond accordingly. 

    Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 13, 2021, 12:00 PM PST] DocuSign has observed no indicators of compromise in our environment from Log4j2. Countermeasures are in place to provide layers of protection and increase situational awareness through enhanced monitoring and blocking of suspicious activity. We have reached out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities. 

    The security of our products is a top priority and critical to our ongoing commitment of fostering trust and transparency for our customers. DocuSign continues to monitor information provided by CISA, threat intelligence and other vendors for new information. We will continue to take prompt action as necessary. 

    Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

     

    [POSTED: December 11, 2021, 11:00 AM PST] On December 9, 2021, DocuSign security and engineering teams received intelligence of the Log4j2 vulnerability (CVE-2021-44228) and initiated investigations. DocuSign is patching or mitigating as vulnerable configurations are identified.

    As of December 11, 2021, DocuSign has observed no indicators of compromise in the environment or to customers.

    DocuSign continues to investigate and monitor the situation as it evolves with any new information.
     

  • The new Connect Certificates availability and deployment schedule for 2022 has been published.

    Please see the DocuSign Trust Center page at https://www.docusign.com/trust/compliance/public-certificates under the “Connect Certificates” section for further details on the new certificate availability, "Offer" and "Force" schedule dates.

Pages