2021-13-12 Update

Coveo Is NOT Vulnerable to the Apache Log4j RCE

Upon being made aware of the vulnerability, we used a tool for software composition analysis that allowed us to pinpoint the vulnerable library in Coveo applications. Although some Coveo components were using the vulnerable library, we confirmed that the Java Virtual Machine (JVM) version used mitigated the Log4j attack surface by disabling a vulnerable configuration. We were also able to confirm that no customer data has been affected in connection with this vulnerability.

In order to fully remediate the vulnerable component, our teams have taken the necessary steps to update the Log4j library.