Over the past few weeks, Heroku proactively updated our entire Redis fleet with a version of Redis not vulnerable to CVE-2018-3760. This was an embargoed vulnerability, so we did this work without notifying our customers about the underlying cause. As always, our goal was to update all Heroku Redis instances well before the embargo expired.

Rolling The Heroku Redis Fleet - Blog Post

As a Data Infrastructure Engineer at Heroku, I wanted to share how we manage large fleet operations such as this one. The most important aspect of our job is keeping customers safe from security vulnerabilities, while also minimizing disruption and downtime. Those two objectives are often at odds with each other, so we work hard to reduce the impact...


Today we are pleased to announce general availability of Heroku Shield Connect, the latest addition to our lineup of Heroku Shield services.

Heroku Shield, announced last year, enabled new capabilities for Dynos, Postgres databases and Private Spaces that make Heroku suitable for high compliance environments such as those that fall under the Health Insurance Portability and Accountability Act (HIPAA) regulations. Heroku Shield Connect extends this offering by enabling high performance, fully automated, and bi-directional data synchronization between Salesforce and Heroku Postgres for companies that need to build HIPAA-compliant applications - all in a matter of a few clicks.

With this...


Today we’re announcing two exciting TLS improvements for apps running in Private Spaces—Heroku’s runtime optimized for security-sensitive workloads that require network and tenant isolation:

  • Automated Certificate Management to automatically create, configure, and renew free TLS certificates for custom domains on Private Space apps
  • Expanded and updated cipher suite selections for TLS/SSL termination for Private Space apps

Together, ACM and greater TLS cipher suite flexibility makes building secure apps in Heroku Private Spaces simpler and less burdensome. Read on for details.

Automated Certificate Management

Automated Certificate Management (ACM) is now available at no extra cost for...


All previously released versions of Sprockets, the software that powers the Rails asset pipeline, contain a directory traversal vulnerability. This vulnerability has been assigned CVE-2018-3760.

How do I know if I'm affected?

Rails applications are vulnerable if they have this setting enabled in their application:

# config/environments/production.rb config.assets.compile = true # setting to true makes your app vulnerable 

Note: The default value of this setting that ships with Rails in production.rb is false. By default, Rails apps running in production mode are not vulnerable to this exploit.

How do I fix it?

To remediate this vulnerability, applications can either change the...


On May 10, 2018, we received notice about two critical vulnerabilities in Redis, both embargoed until this morning.

Upon this notice, our Data Infrastructure team proceeded to patch all internal and customer databases in response to these vulnerabilities. As of today, all customer databases have been patched successfully.

At Heroku, customer trust is our most important value - and we are grateful to have your trust in keeping a globally-distributed data fleet safe from harm. If you’re interested in more behind the scenes details, check out our engineering blog post on how our Data Infrastructure team undertook the effort to patch our entire Redis fleet.


Browse the blog archives or subscribe to the full-text feed.