Adobe Sign for Salesforce 20.9 Security Patch

Adobe Sign for Salesforce customers using a Salesforce Site should upgrade to the latest version as soon as possible. Adobe Sign for Salesforce version 20.9 addresses a vulnerability reported by the Salesforce security team on October 1, 2018. There has been no reported impact to Adobe Sign customers, but action is required.

How do I determine if I am using a Salesforce Site?

Your organization may be using a Salesforce Site with Adobe Sign for Salesforce if it was configured to use “Large Files for Signature” or “Push Agreements” (pushing agreements from Adobe Sign to Salesforce). If you are unsure whether you are using a Salesforce Site, you can check using the steps below.

What action do I need to take?

If you are using a Salesforce Site with Adobe Sign, you must:

• Ensure your IP whitelisting is correctly configured. See “Add the IP ranges for the site” in our Configuration Guide
• Upgrade to Adobe Sign for Salesforce v20.9 via AppExchange. See the Upgrade Guide for instructions

If you are using the “Push Agreements” or “Large Files for Signature” feature, you must take these steps to update the configuration before using either feature.

Do I need to take action if I am not using a Salesforce Site?

If you are not currently using a Salesforce Site, Adobe still recommends that all Adobe Sign for Salesforce customers upgrade to the latest version of Adobe Sign for Salesforce. This provides the latest security patches, important updates, and ensures that your version is currently supported by Adobe. Upcoming “End of Support” dates:

• Adobe Sign for Salesforce integration v16 and v17 - support ends November 15, 2018
• Adobe Sign for Salesforce integration v18 and lower - support ends March 1, 2019

1. In your Salesforce account, go to Setup > Sites.
2. If ANY of the following criteria apply, then you must take action:
   1. The site is active
   2. The site name and/or label contains AdobeSign or EchoSign
   3. The EchoSignCallback page is the Active Site Home Page
   4. The site Site Visualforce Pages section has the echosign_dev1.EchoSignAgreementPushCallback page added
   5. The Public Access Settings (site profile) has Adobe Sign objects, pages, or Apex classes assigned

How can I get more information?

For more information, please contact Support through the Adobe Sign. Your Support options are presented by first signing in to Adobe Sign (https://secure.echosign.com/public/login) and then selecting the “?” up in the top right hand corner. Alternatively, contact your customer success manager.