Download original attachment
(PDF file)

This is an HTML version of an attachment to the Freedom of Information request 'NDIS - Salesforce Security Vulnerability Assurance (Log4j2) post 13 Dec 21'.






DOCUMENT 1
FOI 21/22-1290
From:
s47F - personal privacy
To:
s22(1)(a)(ii) - irrelevant material
Cc:
s22(1)(a)(ii) - irrelevant material
Subject:
CAUTION: Email may contain unverified link [be careful if proceeding]Re: Log4j2 vulnerability
Date:
Wednesday, 15 December 2021 2:10:32 PM
Just to clarify, references to Service Cloud in the below links, also imply Health Cloud - as
they share the same underlying CRM platform.
Thanks,
s47F - personal privacy  
Customer Success Director  |  Salesforce - Canberra, Australia
Mobile: s47F - personal privacy | Email: s47F - personal privacy
Follow us on: 
On Wed, 15 Dec 2021 at 14:03, s47F - personal privacy
 wrote:
Hi 
 and team,
s22(1)(a)(ii)   
 
We have updated the public status page with a link to products we understand to be
affected. The product list can be found here https://help.salesforce.com/s/articleView?
language=en_US&type=1&id=000363736
Additionally, we have some advice as to whether you have noticed any log activity from
Shield.
I am a Shield customer and I think I've observed exploitation in my logs, can 
you confirm? 
Public reports indicate high levels of scanning on the internet after the 
disclosure of this vulnerability. While this type of scanning can sometimes 
generate U-log events in which user agents are represented by exploit codes, 
Shield logs alone do not indicate proof of successful exploitation. 
Salesforce is actively monitoring this issue, and working to patch any of our 
services that either use the vulnerable component Log4j2 or provide it to 
customers. If we become aware of unauthorized access to customer data, we 
will notify impacted customers without undue delay.
I will send through updates as I see them. Any questions please let me know.
Thanks,
s47F - personal privacy  
Customer Success Director  |  Salesforce - Canberra, Australia
Page 1 of 8






FOI 21/22-1290
incident broadly and unnecessarily alerting customers to a situation that may 
not affect them.
Why weren’t we made aware of your intent to fix the vulnerability before you 
made the change?
As part of our standard remediation process, when we discover security 
vulnerabilities, we act immediately to close them. Pre-notification risks giving 
unauthorized third parties more time and awareness to exploit the 
vulnerability, which would put the safety of your data and your business at 
risk.
How did Salesforce respond?
Salesforce is actively monitoring this issue and working to patch any 
Salesforce services that either use the vulnerable component, Log4j2, or 
provide it to customers.
We also have threat detections in place to alert for exploitation attempts.
What Salesforce products are vulnerable/affected?
For the protection of your company and other customers that may not yet 
have installed the security patch for this issue, we are not sharing this 
information at this time.
Where can I get additional information? 
We’re committed to keeping our customers informed. You can find the latest 
updates at  https://status.salesforce.com.
As our internal FAQ is updated I will share any relevant details.
As always, any questions please dont hesitate to ask.
Thanks,
s47F - personal privacy  
Customer Success Director  |  Salesforce - Canberra, Australia
Mobile: s47F - personal privacy | Email: s47F - personal privacy
Follow us on: 
Page 3 of 8