[UPDATED: December 17, 2021, 5:19 PM PST] DocuSign has been actively working on assessing risk and treating affected assets since the vulnerability was initially disclosed on the morning of December 9.

As of December 17, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through regular monitoring and blocking of suspicious activity.  As a federal contractor, we are also complying with Emergency Directive 22-02 released on 12/17.

DocuSign has engaged all of our suppliers for a comprehensive risk assessment and will work with our suppliers to ensure they have mitigations in place and are updating their software or services to remediate this issue. As this situation continues to evolve, we will implement additional remediation actions as appropriate. 

As of 12/17, DocuSign can confirm that the following services have been addressed and are not vulnerable to Log4j2.

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

[POSTED: December 16, 2021, 2:57 PM PST] As of December 16, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through enhanced monitoring and blocking of suspicious activity. We continue to reach out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities.

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

[POSTED: December 15, 2021, 4:12 PM PST] As of December 15, DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to enhance countermeasures consistent with recently published CISA guidance to provide layers of protection and increased situational awareness through enhanced monitoring and blocking of suspicious activity. We continue to reach out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities.

DocuSign would like to re-emphasize the severity of the Log4j vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-4104), whereby the zero day allows malicious actors to craft a payload that can trigger the execution of arbitrary code on application servers, and DocuSign is responding accordingly. The Log4j library is used extensively in Java-based solutions industry-wide and not limited to DocuSign Services.

We encourage you to perform an assessment of your specific endpoint implementations for use of the Log4j service, including third-party services. This CISA article provides more detail into the issue.

Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

[POSTED: December 14, 2021, 8:25 PM PST] DocuSign continues to observe no indicators of compromise in our environment from Log4j2. DocuSign has previously deployed and continues to deploy countermeasures consistent with recently published CISA guidance. DocuSign continues to monitor information provided by CISA, threat intelligence and other vendors and will respond accordingly. 

Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

[POSTED: December 13, 2021, 12:00 PM PST] DocuSign has observed no indicators of compromise in our environment from Log4j2. Countermeasures are in place to provide layers of protection and increase situational awareness through enhanced monitoring and blocking of suspicious activity. We have reached out to our third-party suppliers providing critical DocuSign operations to determine their impact and status of remediation and patching activities. 

The security of our products is a top priority and critical to our ongoing commitment of fostering trust and transparency for our customers. DocuSign continues to monitor information provided by CISA, threat intelligence and other vendors for new information. We will continue to take prompt action as necessary. 

Please visit https://docusign.com/trust/alerts for the latest updates regarding this alert.

[POSTED: December 11, 2021, 11:00 AM PST] On December 9, 2021, DocuSign security and engineering teams received intelligence of the Log4j2 vulnerability (CVE-2021-44228) and initiated investigations. DocuSign is patching or mitigating as vulnerable configurations are identified.

As of December 11, 2021, DocuSign has observed no indicators of compromise in the environment or to customers.

DocuSign continues to investigate and monitor the situation as it evolves with any new information.
 

The DocuSign CLM and CLM.CM January 22.1 Product Release will be deployed to the UAT environment on Thursday, December 9, 2021 between 8:00 PM and 11:00 PM, US Central Time. We do not anticipate any impact to platform availability or access during this time.

Announcements for this upcoming release can be found on the DocuSign Support Center. Please continue to check the Support Center for enhancements and fixes that will be posted before UAT deployment.

Please contact Technical Support if you have any questions.

The DocuSign CLM Trust Site (trust.springcm.com) is being retired. Upon retirement, the DocuSign Trust Center will be the sole source for posted trust, security and privacy updates, alerts and system status.

Please see the DocuSign Trust Center page at https://www.docusign.com/trust/compliance/public-certificates under the “Site Certificates” section to download and for further details on the new NA4 certificate availability and application dates.

The new NA4 certificate will be enforced on Wednesday, November 17, 2021, 3PM. After this time, the new certificate will be the sole certificate for the NA4 Site SSL endpoints.

DocuSign is deprecating support for outbound TLS 1.0 on 31st October 2021. Although DocuSign has not supported TLS 1.0 in our products since 2018, we did allow opportunistic TLS which means if a recipient's email server did not accept a higher version of TLS, they could receive emails via TLS 1.0. This will end on October 31st.

Additional information can be found on the DocuSign Support Center.

Please contact Technical Support if you have any questions.

The CLM Operations team will be performing essential system maintenance on all CLM Data Centers starting Friday, October 8th and ending Saturday, October 9th 2021. During this time, there may be some periods where the CLM application is degraded.  We apologize for the short notice for this announcement and any impact this may have on your accounts.

Please reach out to DocuSign CLM Technical Support for any questions or concerns and see below for the timing by environment:

EU11 EU21 PRODUCTION ENVIRONMENTS

Between 18:30 UTC (1:30 pm CDT) and 22:30 UTC (5:30 pm CDT) on Friday October 8th 2021.

UAT ENVIRONMENTS

Between 00:30 UTC (7:30 pm CDT) and 03:30 UTC (10:30 pm CDT) on Friday October 8th 2021-Sat October 9th 2021.

NA11 NA21 PRODUCTION ENVIRONMENTS

Between 18:00 UTC (1:00 pm CDT) and 0:00 UTC (7:00 pm CDT) on Sat October 9th 2021.

US11 US12 PRODUCTION ENVIRONMENTS

Between 18:00 UTC (1:00 pm CDT) and 0:00 UTC (7:00 pm CDT) on Sat October 9th 2021.