Heroku Security Notification - April 2022

Heroku Reported: "Potentially" compromised OAuth tokens

  • GRAX did use the Heroku and GitHub integration to deploy our code to customer Heroku apps. This has been disabled by Heroku.
  • GRAX now uses “git push” deployments from a GRAX collaborator on customer apps for the time being.
  • GRAX reviewed our GitHub repositories that Heroku OAuth tokens would have access to and don't see any malicious activity.

Heroku Incident Description

Screen Shot 2022-04-16 at 6.31.17 PM.png


Migrate Off Heroku to your AWS, Azure, or even Internal

GRAX assists in a migration from Heroku to any customer owned AWS, Azure, or any compute platform free of charge. GRAX can be deployed in the highest, most restrictive, and 100% private customer owned, defined, and managed environments.


Heroku Log Drain Update

On Tuesday, May 3, Salesforce began notifying Heroku customers who owned apps with custom-configured log drains. In part, that released statement stated we have identified a subset of your applications that have custom (non-add-on-provider) log drains configured. We recommend updating and refreshing the credentials used with those log drains as soon as possible. While GRAX does use log drains on all Heroku applications for aggregated monitoring, this notice doesn't concern our usage nor does it mean the security of your apps are compromised. If a threat-actor was to gain access to the log drain information for GRAX applications, they still would not be capable of consuming or monitoring that drain. Regardless, GRAX never logs any secret data including configuration secrets or Salesforce data records to this drain or any other target.

GRAX doesn't plan remediation for this notice about log drains, as it poses no known security risk to customer data.