December 13, 2021 Update
Coveo Is NOT Vulnerable to the Apache Log4j RCE
Upon being made aware of the vulnerability, we used a tool for software composition analysis that allowed us to pinpoint the vulnerable library in Coveo applications. Although some Coveo components were using the vulnerable library, we confirmed that the Java Virtual Machine (JVM) version used mitigated the Log4j attack surface by disabling a vulnerable configuration. We were also able to confirm that no customer data has been affected in connection with this vulnerability.
In order to fully remediate the vulnerable component, our teams have taken the necessary steps to update the Log4j library.
Click here to read about previous product upgrades.