DigiCert is aware of the zero-day exploit affecting the Apache Log4j utility. We continue to analyze the vulnerabilities related to Apache Log4j disclosed on December 9, 2021. At this time, we are not aware of any impact to our services and all services continue to operate as expected.
To keep your DigiCert services secure, our dedicated team of security professionals continues to monitor the overall impact of the Log4j remote-code execution vulnerabilities (CVE-2021-45046, CVE-2021-44228, CVE-2021-45105, and CVE-2021-44832). We will provide new information as it becomes available.
CertCentral
Services
Impacted/Not affected
Patch status
Notes
CertCentral API
Not affected
Not applicable
CertCentral console
Not affected
Not applicable
Automation: DigiCert Automation Agent
Not affected
Not applicable
Discovery and Automation: On-premises sensor
Impacted
Patched to Apache Log4j 2.16.0 on December 15, 2021
Patched to Apache Log4j 2.17.0 on December 20, 2021
Discovery and Automation: CertCentral public scan
Not affected
Not applicable
Discovery and Automation:
CertCentral-Discovery as a Service
Not affected
Not applicable
ACME
Not affected
Not applicable
DigiCert Site Seal
Services
Impacted/Not affected
Patch status
Notes
Site Seal
Not affected
Not applicable
Certificate Issuing Service (CIS)
Services
Impacted/Not affected
Patch status
Notes
CIS
Impacted
Patched to Apache Log4j 2.15.0 on December 10, 2021
Patched to Apache Log4j 2.16.0 on December 14, 2021
Patched to Apache Log4j 2.17.0 on December 20, 2021
Code Signing Timestamp Service
Services
Impacted/Not affected
Patch status
Notes
Code Signing Timestamp Service
Not affected
Not applicable
Online Certificate Status Protocol (OCSP)
Services
Impacted/Not affected
Patch status
Notes
OCSP
Not affected
Not applicable
Certificate Revocation List (CRL)
Services
Impacted/Not affected
Patch status
Notes
CRL
Not affected
Not applicable
digicert.com
Services
Impacted/Not affected
Patch status
Notes
Website
Not affected
Not applicable
Managed PKI (User Authentication)
Services
Impacted/Not affected
Patch status
Notes
PKI Platform 8
Not affected
Not applicable
PKI Platform 8:
Enterprise Gateway
Not affected
Not applicable
PKI Platform 8:
Auto Enrollment Server
Not affected
Not applicable
PKI Platform 8:
Local Key Management Server (LKMS)
Not affected
See Notes.
Not applicable
However, the LKMS package does ship with Log4j v2.8.2, but it is NOT used by the LKMS server code.
If you want to remove this, see our knowledgebase article
PKI Platform 8:
PKI Client
Not affected
Not applicable
PKI Platform 8:
InTune Import Tool
Not affected
Not applicable
PKI Platform 8:
Enrollment over Secure Transport (EST) Client
Not affected
Not applicable
PKI Platform 8:
Simple Certificate Enrollment Protocol (SCEP) Client
Not affected
Not applicable
PKI Platform 8:
DigiCert Desktop Client
Not affected
See Notes.
Not applicable
DigiCert Desktop Client is not affected. However, make sure you are running one of the two latest releases: 3.3.0 or 3.2.1.
The new version can be downloaded here: DigiCert Desktop Client
PKI Platform 8:
Bulk Export Tool
Not affected
Not applicable
PKI Platform 8:
Enrollment over Secure Transport (EST) Proxy Server
Not affected
Not applicable
PKI Platform 8:
Simple Certificate Enrollment Protocol (SCEP) Proxy Server
Not affected
Not applicable
PKI Platform 7
Not affected
Not applicable
PKI Platform 7 (Japan)
Not affected
Not applicable
CI Plus Platform
Impacted
Patched to Apache Log4j 2.16.0 on December 15, 2021
Patched to Apache Log4j 2.17.0 on December 21, 2021
Online Certificate Status Protocol (OCSP)
Not affected
Not applicable
Certificate Revocation List (CRL)
Not affected
Not applicable
Direct Cert Portal
Services
Impacted/Not affected
Patch status
Notes
Direct Cert Portal API
Not affected
Not applicable
Direct Cert Portal Console
Not affected
Not applicable
DigiCert ONE
Services
Impacted/Not affected
Patch status
Notes
Account Manager
Not affected
Not applicable
CA Manager
Not affected
Not applicable
DigiCert® Trust Lifecycle Manager
Not affected
Not applicable
DigiCert® IoT Trust Manager
Not affected
Not applicable
DigiCert® Software Trust Manager
Not affected
Not applicable
DigiCert® Document Trust Manager
Not affected
Not applicable
Automation Manager
Not affected
Not applicable
Automation Manager, on-premises sensor
Impacted
Patched to Apache Log4j 2.16.0 on December 15, 2021
Patched to Apache Log4j 2.17.0 on December 20, 2021
DigiCert ONE Japan
Services
Impacted/Not affected
Patch status
Notes
Account Manager
Not affected
Not applicable
CA
Not affected
Not applicable
Enterprise PKI Manager
Not affected
Not applicable
IoT Device Manager
Not affected
Not applicable
Secure Software Manager
Not affected
Not applicable
Document Signing Manager
Not affected
Not applicable
Enterprise
Services
Impacted/Not affected
Patch status
Notes
API VICE2
Not affected
Not applicable
DigiCert Gatekeeper Service
Services
Impacted/Not affected
Patch status
Notes
GateKeeper
Not affected
Not applicable
QuoVadis
Services
Impacted/Not affected
Patch status
Notes
DSS-Engine Production
Not affected
Not applicable
DSS-Engine Staging
Not affected
Not applicable
Trust/Link
Not affected
Not applicable
SealSign Cloud Production
Not affected
Not applicable
SealSign Cloud Staging
Not affected
Not applicable
QVSS (QuoVadis Signing Service)
Not affected
Not applicable
QuoVadis Qualified Timestamps
Not affected
Not applicable
QuoVadis website Netherlands
Not affected
Not applicable
QuoVadis NOVA System
Not affected
Not applicable
TL/C Demo
Not affected
Not applicable
TL/C Prod
Not affected
Not applicable
PERSS
Not affected
Not applicable
SixTerravis
Not affected
Not applicable
Primosign
Not affected
Not applicable
QuoVadis IDP
Not affected
Not applicable
If you discover your systems are affected by log4j, DigiCert recommends that you create new keys, request replacement certificates, and revoke any impacted certificates from the compromised systems.
For further questions, contact DigiCert Support.