Welcome to Acquia's Security Portal; notice we have three portals via the dropdown above. Please select the portal you are interested in.
Our commitment to data privacy and security is embedded in every part of our business. Use this portal to learn about our security posture and request access to our security documentation.
This portal is for our Acquia Cloud Platform and supporting products like Search, Email, Code Studio, Edge and Site Studio offerings.
In alignment with Acquia's Digital Experience Platform vision, Acquia is formally releasing today the 2024 ISO27001 and CSA STAR Certificates and associated supporting Statement of Applicability. With the 2024 recertification, we have terminated the Acquia DAM (Widen) ISO27001 Certificate in favor of one ISMS and one certificate.
To demonstrate the Company’s dedication to information security, Acquia implemented an Information Security Management System (ISMS) to conform to the requirements of ISO/IEC 27001:2022 (ISO 27001). A-LIGN Compliance and Security, Inc. (A-LIGN) was engaged by Acquia to perform the recertification audit to validate conformity and certify the Company’s ISMS against the ISO 27001:2022 and CSA CCM v4.0.3 standards.
The scope of the 2024 certification included the comprehensive Digital Experience Platform (DXP) which includes the Acquia Cloud Enterprise (ACE) & Site Factory (ACSF) services, Digital Asset Management (DAM), Customer Data Platform (CDP) and Campaign Studio/Factory (CS/CF) solutions.
Notice: Security exploit discovered with 3rd party service polyfill[.]io
Acquia has been made aware that a common third party service, polyfill[.]io, has known security vulnerabilities which may impact applications using this project. Further information regarding this vulnerability can be found on drupal.org: 3rd Party Libraries and Supply Chains - PSA-2024-06-26. The potential impact of this exploit includes but is not limited to the popular module: Drupal Webform module. A list of projects currently known to be impacted can be found here.
Due to our shared responsibility model Acquia is unable to mitigate this security vulnerability for impacted customer applications. Acquia’s recommendation for remediation can be found in this knowledge base article. For most customers this means updating impacted modules to a secure version, applying a patch to remediate the vulnerability, or removing impacted modules. We highly recommend that customers check their application(s) and take any necessary steps for remediation in order to ensure their application(s) remain secure.
If you have any questions or concerns regarding the polyfill[.]io library, please contact Acquia Support by logging in to accounts.acquia.com and visiting the Acquia Help Center.
Today, 7/1/2024, the Qualys Threat Research Unit released a blog post detailing a vulnerability, CVE-2024-6387, in OpenSSH’s server (sshd) in glibc-based Linux systems. The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.
At this point in time, the assessment is that Acquia remains unaffected as triaged by Canonical (https://ubuntu.com/security/CVE-2024-6387). Acquia continues its independent analysis and will update here with any further information.
Acquia was notified by a private party (thanks to that client) that there was an impending vulnerability release scheduled for 6-25-2024. Upon notification, we confirmed that MOVEit has not been introduced into Acquia's environment and that Acquia remains unaffected by any vulnerabilities facing MOVEit. Acquia will continue to act on any intelligence we gather or receive to protect our services and the data entrusted to us.
To Whom It May Concern, Acquia is aware of the ongoing discussion and information sharing relating to Snowflake and the attacks that are/were targeting their clients. Acquia utilizes Snowflake for Acquia DAM and CDP. Upon awareness of possible impact to services, Acquia began an investigation that to date has not identified any impact to our services. Continued monitoring and implementation of best practices for authentication and authorization will be followed to maintain the confidentiality, integrity and availability of services
If you think you may have discovered a vulnerability, please send us a note.