Date Topic Name Description
April 1, 2022 Advisory Spring4Shell Spring4Shell vulnerability (CVE-2022-22965).
December 11, 2021 Advisory Apache Log4j2 Apache Log4j2 vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105).
January 5, 2018 Advisory Meltdown & Spectre Vulnerabilities Vulnerabilities affecting a wide range of computer processors.

Date: April 1, 2022

Security Advisory: Sping4Shell

We are aware of the remote-code-execution aka 'Spring4Shell' vulnerability which has been discovered in VMware's widely used Spring IO (being tracked as CVE-2022-22965), and started an investigation on March 31st, 2022 as to the applicability and potential impact of this vulnerability to FinancialForce. Towards this, we have been running targeted code scans and monitoring third party advisories. Thus far we have identified 5 internal projects which use the affected Spring versions, however, the original proof-of-concept which primarily depends on Tomcat is not being used within our infrastructure thereby potentially making any exploitation moot. Lastly, we are currently reviewing any patch upgrades required to mitigate this vulnerability.

In summary, we have not discovered any compromise as a result of this vulnerability.

Date: January 6, 2022 | 4pm UTC

Security Advisory: Apache Log4j2

At FinancialForce, trust is our number one value. We want to alert you to an important security issue and let you know how we are addressing it.

We are aware of the Apache Log4j2 vulnerabilities (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105), and started an investigation on December 11, 2021 as to the applicability of these vulnerabilities to FinancialForce. We have concluded that we do not run the Log4j2 component, including and have not found any internal instances supporting our service which are affected by the Apache Log4j2 vulnerability (CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105). Towards this, we conducted a thorough investigation and scanned all HTTP resources and found one partially vulnerable resource which we have patched accordingly. We will continue to monitor the impact of this vulnerability and as required will take necessary steps for remediation. Salesforce, our sub-processor, is currently remediating on their end; status can be read here and here.

Thank you for putting your trust in FinancialForce.

Date: January 5, 2018

Security Advisory: Meltdown & Spectre Vulnerabilities

At FinancialForce, trust is our number one value. We want to alert you to an important security issue and let you know how we are addressing it.

Earlier this week it was reported that most central processing units (CPUs) may contain two critical security vulnerabilities, dubbed "Meltdown” and "Spectre." Like most companies, FinancialForce uses systems that are impacted by these vulnerabilities.

Nothing is more important to us than the security of our customers’ data. As part of our Security and Trust Program, we continuously monitor our systems for threats and vulnerabilities, including attempts to exploit Meltdown and Spectre. So far, FinancialForce has not seen any indications of attempts to exploit these vulnerabilities against our systems. We are also actively monitoring for updates by chip makers and operating system providers, and applying security patches to our systems as they become available. In addition, we are communicating with key vendors - including Salesforce, which hosts our products - on their progress in patching their systems and monitoring for potential attacks.

Thank you for putting your trust in FinancialForce.