Coveo HIPAA incident

Coveo Is NOT Vulnerable to CVE-2021-44228 - Apache Log4j RCE

Notice Resolved View vendor source →

Coveo HIPAA experienced a notice incident on December 14, 2021 affecting Search - Search Service and Search - Hosted Search Pages and 1 more component, lasting —. The incident has been resolved; the full update timeline is below.

Started
Dec 14, 2021, 04:20 PM UTC
Resolved
Dec 14, 2021, 04:20 PM UTC
Duration
Detected by Pingoru
Dec 14, 2021, 04:20 PM UTC

Affected components

Search - Search ServiceSearch - Hosted Search PagesPlatform - Platform ServicePlatform - Authentication ServicePlatform - Administration ConsoleIndexing Pipeline - Source ServiceIndexing Pipeline - Push APIIndexing Pipeline - Document ProcessingIndexing Pipeline - Crawling ModuleAnalytics - Analytics Write API

Update timeline

  1. resolved Dec 14, 2021, 04:20 PM UTC

    Upon being made aware of the vulnerability, we used a tool for software composition analysis that allowed us to pinpoint the vulnerable library in Coveo applications. Although some Coveo components were using the vulnerable library, we confirmed that the Java Virtual Machine (JVM) version used mitigated the Log4j attack surface by disabling a vulnerable configuration. We were also able to confirm that no customer data has been affected in connection with this vulnerability. In order to fully remediate the vulnerable component, our teams have taken the necessary steps to update the Log4j library. If you need help or to get in touch with us, please visit our Help Portal