Addressing the Salesforce Data Loader Log4j Issue with AutoRABIT
The Log4j data security vulnerability has the potential to impact a singular company multiple times. This is why it received the highest threat level designation from CVSS.
The SolarWinds hack cost the company around $18 million dollars in the first few months of 2021. And this was the result of a single entry point introduced to the DevOps pipeline. As bad as this is, it was rated a nine out of ten by the CVSS. The Log4j vulnerability received a ten out of ten.
We mention this comparison to illustrate the severity of the Log4j vulnerability. The SolarWinds attack was the result of an attack on the build server to create a back door. The Log4j vulnerability exists in the tool itself which will be present on the computers of every developer that uses it—which could potentially create hundreds of potential entry points.
What is the Salesforce Data Loader?
Salesforce Data Loader is a discontinued tool built by Salesforce itself. It is a widely used tool that helps Salesforce developers configure their sandboxes. The prevalence of this tool means that there are millions of copies in use—which creates millions of potential vulnerabilities.
This tool is no longer being produced by Salesforce and is now available open sourced on Github. And while Salesforce has added a note responding to the Log4j vulnerability, they fail to mention its effect on their data loader.
Why is This a Threat?
Even inexperienced hackers can make use of a vulnerability like this to take control over a user’s environment. Supply chain hacks like these are generally the result of covert lines of code entered into a single environment to compromise the system. However, in this case, the tool is already compromised and likely used in every developer’s environment.
The SolarWinds attack was very costly because it went unnoticed for a long time. The Salesforce Data Loader Log4j vulnerability has also gone unnoticed in the firestorm around Log4J and has the potential to continue being unrecognized. The difference is that Log4j is much more prevalent and can be present on multiple devices within a singular environment.
What Are the Next Steps?
First, you must understand the scale of your exposure by figuring out which developers are using Salesforce’s Data Loader. And if their version is older than one day, it’s vulnerable to the Log4j defect. AutoRABIT customers have this covered as you can deploy local rules via the VS-Code IDE plug-in to detect and rollup the risk.
What should you do if you are exposed to this vulnerability?
The Log4j risk necessitates all of your developers manually update their versions of the Salesforce Data Loader. However, the data Loader is no longer distributed directly by Salesforce. It is available on Github, but additional flaws have been discovered since the initial disclosure on December 9th, 2021.
A secure, scalable, and feature-rich data loader that is not only invulnerable to the Log4j issue but also supported by a world class team provides the best environment to avoid joining the already 900,000 cyberattack victims. AutoRABIT’s Data Loader is able to provide the coverage you need to remain operational and avoid the consequences of a costly hack.
On December 9, 2021, Apache announced a security vulnerability in its Java-based logging utility, Log4j. The Log4j vulnerability allows the execution of arbitrary code by exploiting the JNDI (Java Naming and Directory Interface).
Salesforce itself is not affected by the Log4j vulnerability. However, the Salesforce data loader is, so your environment is at risk if you use this tool and have not directly addressed it.
The Salesforce data loader has been discontinued by Salesforce but is still available open sourced on Github. It is vulnerable to the Log4j risk.