Security and Privacy are very important to us at Red Argyle. This post shares some information regarding a recent exploit known as “Log4j”. Log4j is a known vulnerability impacting a large number of software vendors across the globe, including Salesforce. The vulnerability is based on a logging feature hosted on some Java applications. A detailed description of the exploit is available from the Center for Internet Security and is located here.
Salesforce immediately began communicating its status on trust.salesforce.com. Their internal investigation and efforts are ongoing. Salesforce is providing assurance that they are proactively communicating any known issues directly with customers and patching any suspected impacted systems.
Red Argyle’s services are 100% rooted in the Salesforce.com platform. It appears that most of our customers and configurations will have no action items relating to their core Salesforce build; instead, Salesforce will be proactively remediating anything related to their infrastructure.
However, out of an abundance of caution, we do recommend the following actions:
- If you receive direct communication from Salesforce, please give it all due attention!
- Keep an eye on this Salesforce Trust article, which will be updated to share official updates from Salesforce on the status of their response.
- If you use Data Loader, upgrade to the latest version. Older versions are vulnerable to this exploit.
- If you use Slack, install the update.
- Beyond Salesforce, validate if you use other Java-powered applications within your organization’s technology stack. One list is available here; however, it’s not deemed fully inclusive, and it’s important to evaluate your own tech stacks with your security team to validate any vulnerabilities.
We will continue to monitor the situation and share updates if there are any impactful changes warranting further immediate action.
If you have questions, please email email@example.com, and we will have an engineer respond as quickly as possible to validate any possible action required.