Log4j Data Security Vulnerability: The AutoRABIT Response
The Salesforce CVE-2021-44228 Vulnerability
On December 9, 2021, Apache announced a security vulnerability in its Java-based logging utility, Log4j. The vulnerability is likely the largest of its kind found in the last decade.
This vulnerability is also known as CVE 2021-44228, or more colloquially as Log4Shell or LogJam.
Every internet-connected device that runs Apache Log4j is vulnerable to this flaw. Some of the world’s largest companies like Oracle, Amazon, and IBM have announced patches to guard against the negative ramifications and potential consequences.
So what does all this mean? How can the Apache Log4j vulnerability impact your Salesforce environment? And how can AutoRABIT keep your system safe?
What Does This Mean?
The Log4j vulnerability allows the execution of arbitrary code by exploiting the JNDI (Java Naming and Directory Interface). This type of hack can be successfully executed by even the most inexperienced hackers. All they have to do is force the application to add a single string to the log, which will then allow them to introduce their own lines of code into the application. From there, they have the potential to gain full control over the system.
CVSS is an industry-standard vulnerability metric. The Log4j vulnerability has received the highest score on this scale—a 10 out of 10.
There was an incomplete fix incorporated in Log4j 2.15, that has resulted in a new vulnerability CVE-2021-45046 against the JNDI interface that can allow for a Denial of Service Attack (DoS).
How Does This Affect Salesforce Developers?
The Salesforce Data Loader is a ubiquitous desktop tool for all Salesforce developers to set up their development environments. It uses Log4j and is vulnerable to arbitrary code execution on the laptops of developers. This creates a massive risk to organizations who are not aware of the vulnerability
Has AutoRABIT Been Impacted?
Since being alerted to this issue, we have conducted a thorough analysis across all our products and platforms.
We have determined that all AutoRABIT SaaS instances are secure and not impacted. These results have been validated by a third-party penetration firm.
AutoRABIT took the following actions as part of our overall defense strategy:
- We conducted extensive analysis and testing of all AutoRABIT products.
- We hired an external penetration testing firm to validate that the vulnerability could not be exploited. All exploitation attempts were unsuccessful.
- We configured the IDS/IPS with rules to specifically detect and block any attempts to exploit the issue.
- While we do not use the JndiLookup class responsible for the vulnerability, ARM does use log4j, so have we have disabled JNDI in the configuration of our instances.
- We will be upgrading all products to Log4J 2.17.1 once its confirmed that there are no additional issues over the next several weeks.
Self-hosted customers are recommended to immediately add security parameters to the log4j properties. If you are an AutoRABIT customer, please contact AutoRABIT support, and we will organize for our infrastructure team to support you in making these changes. If you’d like to evaluate the AutoRABIT Data Loader Pro as an alternative to Salesforce’s Data Loader, please contact [email protected].
Proper Salesforce data security requires a multi-tiered approach. AutoRABIT is the only complete Salesforce DevSecOps platform that provides multiple automated tools to keep your environment and development pipeline secure.