Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'NDIS - Salesforce Security Vulnerability Assurance (Log4j2)'.

FOI 21/22-0740
DOCUMENT 1
From:
s47F - personal privacy
To:
s22(1)(a)(ii) - irrelevant material
Cc:
s22(1)(a)( i) - irrelevant mate; s22(1)(a)(ii) - irrelevant m
Subject:
Log4j2 vulnerability
Date:
Monday, 13 December 2021 2:08:11 PM
Hi s22(1)(a)( ,i)  
 
Thanks for your time just now to discuss what we know about the Log4j2 vulnerability. As
I mentioned on the call our Security team is still investigating, and as such, there is not a
great detail of information to share at present. The below FAQ hopefully reassures the
NDIA that we are actively protecting the NDIA's data.
At Salesforce, Trust is our #1 value, and we take the protection of our customers’ data 
very seriously. We are aware of the recently disclosed Apache Log4j2 vulnerability 
(CVE-2021-44228). We are actively monitoring this issue, and are working to patch any 
Salesforce services that either use the vulnerable component Log4j2 or provide it to 
customers.
What is the impact?
Salesforce currently has no evidence of unauthorized access to Salesforce 
systems or customer data due to this issue. Salesforce’s investigation remains 
ongoing at this time.
If Salesforce becomes aware of unauthorized access to Customer Data, we will 
notify impacted customers without undue delay.
Why did it take so long for you to alert us about this incident?
Salesforce always strives to notify customers as quickly as possible once a 
service-impacting event has been detected. 
Part of that detection involves investigating the overall scope of the impact as well 
as determining which customers are affected by the incident. 
In some cases, the initial investigation may take some time to determine what the 
actual impact is and which customers are affected. When that happens, the Trust 
post can be delayed. 
At Salesforce, we try to strike the balance between rapidly acknowledging an 
incident broadly and unnecessarily alerting customers to a situation that may not 
affect them.
Why weren’t we made aware of your intent to fix the vulnerability before you 
Page 1 of 2





made the change?
As part of our standard remediation process, when we discover security 
vulnerabilities, we act immediately to close them. Pre-notification risks giving 
unauthorized third parties more time and awareness to exploit the vulnerability, 
which would put the safety of your data and your business at risk.
How did Salesforce respond?
Salesforce is actively monitoring this issue and working to patch any Salesforce 
services that either use the vulnerable component, Log4j2, or provide it to 
customers.
We also have threat detections in place to alert for exploitation attempts.
What Salesforce products are vulnerable/affected?
For the protection of your company and other customers that may not yet have 
installed the security patch for this issue, we are not sharing this information at 
this time.
Where can I get additional information? 
We’re committed to keeping our customers informed. You can find the latest updates at 
https://status.salesforce.com.
As our internal FAQ is updated I will share any relevant details.
As always, any questions please dont hesitate to ask.
Thanks,
s47F - personal privacy  
Customer Success Director | Salesforce - Canberra, Australia
Mobile: s47F - personal privacy | Email: s47F - personal privacy
Follow us on: 
Page 2 of 2