Codon Security Issue and Response
July 03, 2012 by Byron Sebastian
Heroku learned of and resolved a security vulnerability last week. We want to report this to you, describe how we responded to the incident, and reiterate our commitment to constantly improving the security and integrity of your data and source code.
On Tuesday, June 26, Jonathan Rudenberg notified us about an issue in our Codon build system. The Codon build system is responsible for receiving application code from Git and preparing it for execution on the Aspen and Cedar stacks. This vulnerability exposed a number of sensitive credentials which could be used to obtain data and source code of customer applications. Upon receiving notification we rolled the most sensitive credentials. An initial patch was in place within 24 hours. The final patch was deployed to production after thorough testing the morning of Friday, June 29. That same morning all relevant credentials were rotated.
Subsequent to this patch, we conducted a thorough and comprehensive audit of our internal logs. We found no evidence that these credentials were used to obtain customer data or credentials, either by Jonathan or any third parties.
We would like to thank Jonathan for notifying us of this vulnerability last week, and giving us ample opportunity to fix it. He provides his description of events on his blog at http://titanous.com/posts/vulnerabilities-in-heroku-build-system
We are confident in the steps we took to protect our customers from this vulnerability and are redoubling our efforts to provide you with the most secure cloud platform available. We would also like to reaffirm our commitment to the security and integrity of our customer's data and code. Nothing is more important to us.