Heroku Security Notification - April 2022

Heroku Reported: "Potentially" compromised OAuth tokens

  • GRAX did use the Heroku and GitHub integration to deploy our code to customer Heroku apps. This has been disabled by Heroku.
  • GRAX will now utilize “git push” deployments from a GRAX collaborator on customer apps for the time being.
  • GRAX reviewed our GitHub repos that Heroku OAuth tokens would have access to and do not see any malicious activity.

Heroku Incident Description

Screen Shot 2022-04-16 at 6.31.17 PM.pngScreen Shot 2022-04-16 at 6.31.17 PM.png


Migrate Off Heroku to your AWS, Azure, or even Internal

GRAX will assist a migration from Heroku to any customer owned AWS, Azure, or any compute platform free of charge. GRAX can be deployed in the highest, most restrictive, and 100% private customer owned defined and managed environment(s).


Heroku Log Drain Update

On Tuesday, May 3rd, Salesforce began notifying Heroku customers who owned apps with custom-configured log drains. In part, that released statement stated we have identified a subset of your applications that have custom (non-add-on-provider) log drains configured. We recommend updating and refreshing the credentials used with those log drains as soon as possible. While GRAX does utilize log drains on all Heroku applications for aggregated monitoring, this notice does not concern our utilization nor does it mean the security of your apps are compromised. If a threat-actor was to gain access to the log drain information for GRAX applications, they still would not be capable of consuming or monitoring that drain. Regardless, GRAX never logs any secret data including configuration secrets or salesforce data records to this drain or any other target.

GRAX does not plan remediation for this notice about log drains, as it poses no known security risk to customer data.