Salesforce. I am scared about log4j vulnerability impact
Dec, 13: Silence
Apparently salesforce is affected by this critical security vulnerability. Salesforce is not transparent in this case which puts me in fear not knowing what is actually happening.
After 4 days of silence the last update discloses a bit the situation. It is still not clear which products are affected, how much was done to patch salesforce services but look at the quote below (on a screenshot)
If Salesforce becomes aware of unauthorized access to Customer Data, we will notify impacted customers without undue delay.
It sounds like we may expect unauthorized access to customer data in salesforce which is really scary.
Dec, 15: status of products has been provided
We finally have the status of log4j and it was published in knowledge article:
It looks like all the services were affected including Platform, Slack, Tableau. Currently salesforce is working on fixing the vulnerability. Thanks salesforce for sharing.
Dec, 16: some good news but still not the end
We all was crossing fingers for salesforce engineers to patch all the affected services as soon as possible and on Dec 16 they patched log4j in majority of products for customer faced services. Good start — they closed potentially the biggest breach, but there are still much to do.
Dec,19: patched, but still waiting for 3rd parties
Salesforce-owned services have been patched to address the issues currently identified in CVE-2021–44228 and CVE-2021–45046. We are awaiting patching confirmation from our third-party vendors and will be executing our final validation steps upon confirmation.
