Ask a Question

Advanced Search

Alert ID : AL141221034144

Last Modified : 01/21/2022

DigiCert Log4J Response

Description

 

DigiCert is aware of the zero-day exploit affecting the Apache Log4j utility. We continue to analyze the vulnerabilities related to Apache Log4j disclosed on December 9, 2021. At this time, we are not aware of any impact to our services and all services continue to operate as expected.  

To keep your DigiCert services secure, our dedicated team of security professionals continues to monitor the overall impact of the Log4j remote-code execution vulnerabilities (CVE-2021-45046, CVE-2021-44228, CVE-2021-45105, and CVE-2021-44832). We will provide new information as it becomes available.

 

Services status

CertCentral

Services

Impacted/Not affected

Patch status

Notes

CertCentral API

Not affected

Not applicable

 

CertCentral console

Not affected

Not applicable

 

Automation: DigiCert Automation Agent

Not affected

Not applicable

 

Discovery and Automation: On-premises sensor

Impacted

Patched to Apache Log4j 2.16.0 on December 15, 2021

Patched to Apache Log4j 2.17.0 on December 20, 2021

See DigiCert Log4j Sensor Response.

Discovery and Automation: CertCentral public scan

Not affected

Not applicable

 

Discovery and Automation:
CertCentral-Discovery as a Service 

Not affected

Not applicable

 

ACME

Not affected 

Not applicable

 

 

DigiCert Site Seal

Services

Impacted/Not affected

Patch status

Notes

Site Seal

Not affected

Not applicable

 

 

Certificate Issuing Service (CIS)

Services

Impacted/Not affected

Patch status

Notes

CIS

Impacted

Patched to Apache Log4j 2.15.0 on December 10, 2021

Patched to Apache Log4j 2.16.0 on December 14, 2021

Patched to Apache Log4j 2.17.0 on December 20, 2021

 

Code Signing Timestamp Service

Services

Impacted/Not affected

Patch status

Notes
Code Signing Timestamp Service Not affected Not applicable  

 

Online Certificate Status Protocol (OCSP)

Services

Impacted/Not affected

Patch status

Notes
OCSP Not affected Not applicable  

 

Certificate Revocation List (CRL)

Services

Impacted/Not affected

Patch status

Notes
CRL Not affected
Not applicable

 

digicert.com

Services

Impacted/Not affected

Patch status

Notes
Website Not affected Not applicable

 

Managed PKI (User Authentication)

Services

Impacted/Not affected

Patch status

Notes
PKI Platform 8 Not affected            Not applicable  

PKI Platform 8:

Enterprise Gateway

Not affected Not applicable  

PKI Platform 8:

Auto Enrollment Server

Not affected Not applicable  

PKI Platform 8:

Local Key Management Server (LKMS)

Not affected

See Notes.

Not applicable

However, the LKMS package does ship with Log4j v2.8.2, but it is NOT used by the LKMS server code.

If you want to remove this, see our knowledgebase article

PKI Platform 8:

PKI Client

Not affected Not applicable  

PKI Platform 8:

InTune Import Tool

Not affected Not applicable  

PKI Platform 8:

Enrollment over Secure Transport (EST) Client

Not affected Not applicable  

PKI Platform 8:

Simple Certificate Enrollment Protocol (SCEP) Client

Not affected Not applicable  

PKI Platform 8:

DigiCert Desktop Client

Not affected

See Note

Not applicable DigiCert Desktop Client is not affected. However, make sure you are running one of the two latest releases: 3.3.0 or 3.2.1.
The new version can be downloaded here: DigiCert Desktop Client

PKI Platform 8:

Bulk Export Tool

Not affected Not applicable  

PKI Platform 8:

Enrollment over Secure Transport (EST) Proxy Server

Not affected Not applicable  

PKI Platform 8:

Simple Certificate Enrollment Protocol (SCEP) Proxy Server

Not affected Not applicable  
PKI Platform 7 Not affected Not applicable  
PKI Platform 7 (Japan) Not affected Not applicable  
CI Plus Platform Impacted Patched to Apache Log4j 2.16.0 on December 15, 2021
Patched to Apache Log4j 2.17.0 on December 21, 2021
 
Online Certificate Status Protocol (OCSP) Not affected  Not applicable  
Certificate Revocation List (CRL) Not affected  Not applicable  

 

Direct Cert Portal

Services

Impacted/Not affected

Patch status

Notes
Direct Cert Portal API Not affected Not applicable  
Direct Cert Portal Console Not affected  Not Applicable  

 

DigiCert ONE

Services

Impacted/Not affected

Patch status

Notes
Account Manager Not affected

Not applicable  
CA Manager Not affected

Not applicable  
Enterprise PKI Manager Not affected Not applicable  
IoT Device Manager Not affected Not applicable  
Secure Software Manager Not affected Not applicable  
Document Signing Manager Not affected Not applicable  
Automation Manager Not affected                                    Not applicable  
Automation Manager, on-premises sensor Impacted Patched to Apache Log4j 2.16.0 on December 15, 2021
Patched to Apache Log4j 2.17.0 on December 20, 2021
 

 

DigiCert ONE Japan

Services

Impacted/Not affected

Patch status

Notes
Account Manager Not affected Not applicable  
CA Not affected Not applicable  
Enterprise PKI Manager Not affected Not applicable  
IoT Device Manager Not affected Not applicable  
Secure Software Manager Not affected Not applicable  
Document Signing Manager Not affected Not applicable  

 

Enterprise

Services

Impacted/Not affected

Patch status

Notes
API VICE2 Not affected                                       Not applicable

 

DigiCert Gatekeeper Service

Services

Impacted/Not affected

Patch status

Notes
GateKeeper Not affected                                Not applicable

 

QuoVadis

Services

Impacted/Not affected

Patch status

Notes
DSS-Engine Production Not affected                                     Not applicable
DSS-Engine Staging Not affected Not applicable
Trust/Link Not affected Not applicable
SealSign Cloud Production Not affected Not applicable
SealSign Cloud Staging Not affected Not applicable
QVSS (QuoVadis Signing Service) Not affected Not applicable
QuoVadis Qualified Timestamps Not affected Not applicable
QuoVadis website Netherlands Not affected Not applicable
QuoVadis NOVA System Not affected Not applicable
TL/C Demo Not affected Not applicable
TL/C Prod Not affected Not applicable
PERSS Not affected Not applicable
SixTerravis Not affected Not applicable
Primosign Not affected Not applicable
QuoVadis IDP Not affected  

 

If you discover your systems are affected by log4j, DigiCert recommends that you create new keys, request replacement certificates, and revoke any impacted certificates from the compromised systems.

For further questions, contact DigiCert Support.