Updated Advice for Apache Log4j vulnerability
Updated Advice for Apache Log4j vulnerability

Advice as of December 20th 

As the security analysis of issues related to Apache Log4J2 continues there has been a new vulnerability identified by Apache.

To address this new vulnerability, on Sunday, December 19th Tableau released a new maintenance patch and updated instructions for how to mitigate against the risk.

The December 19th, 2021 Tableau Product releases have integrated the log4j 2.16 release, which disables JNDI Lookup by default. This action addresses both CVE-2021-44228 & CVE-2021-45046.

By updating to the product releases from December 19, 2021, you are addressing the security issues currently identified in CVE-2021-44228 & CVE-2021-45046.

While upgrading is the recommended path, there is a second option provided to implement a temporary security change to mitigate the vulnerability.

The two methods provided by Tableau are:

  1. Upgrade to the the latest maintenance release for every Tableau product – Option 1 in this KB article
  2. Implement a temporary security change – Option 2 in this KB article

Due to the high risk associated with this security flaw, it is recommended that you upgrade all Tableau Products as soon as is feasible or implement mitigation steps as described in option 2 of the above knowledge base article.

The latest maintenance release for Tableau Server versions can be found here:

The latest maintenance release for Tableau Desktop versions can be found here:

The latest maintenance release for Tableau Prep versions can be found here:

The latest maintenance release for Tableau Bridge versions can be found here:

The latest version for Tableau Reader can be found here:

The latest version for Tableau Public Desktop can be found here:

If you are running Tableau Products on v2020.3 or prior then this version is no longer under Tableau Support Maintenance, and to make use of this security patch you will need to upgrade to v2020.4 or above. The application of the temporary security fix (Option 2) may not provide mitigation on versions prior to v2020.4.

Recommended actions

Official announcements

Continue to monitor the official announcements from Salesforce on this issue here:

https://status.salesforce.com/generalmessages/826

Test for Breaches in your current Server Deployment

Before performing an upgrade on your Tableau Server it is important to validate if the Tableau environments have already been compromised by the Apache Log4j vulnerability. Please see our blog post here for more details on monitoring for breaches.

If you find confirmation that your system has been compromised then we advise you to consider shutting down your server and setting up a new instance, followed by installing a fresh version of Tableau Server and using your backups to restore your environment. Additionally, it is worth considering using a backup from prior to the 10th December 2021 when the issue was identified.

Implement the maintenance patch for all Tableau products

Due to the high risk associated with this security flaw, it is recommended that you upgrade all Tableau Products as soon as is feasible or implement mitigation steps as described in option 2 of the above knowledge base article.

The latest maintenance release for Tableau Server versions can be found here:

The latest maintenance release for Tableau Desktop versions can be found here:

The latest maintenance release for Tableau Prep versions can be found here:

The latest maintenance release for Tableau Bridge versions can be found here:

The latest version for Tableau Reader can be found here:

The latest version for Tableau Public Desktop can be found here:

If you are running Tableau Products on v2020.3 or prior then this version is no longer under Tableau Support Maintenance, and to make use of this security patch you will need to upgrade to v2020.4 or above.  The application of the temporary security fix (Option 2) may not provide mitigation on versions prior to v2020.4.

Frequently asked questions

What version of the Apache patch is included in the new maintenance release?

The December 19th, 2021 Tableau Product releases have integrated the log4j 2.16 release, which disables JNDI Lookup by default. This action addresses both CVE-2021-44228 & CVE-2021-45046.

By updating to the product releases from December 19, 2021, you are addressing the security issues currently identified in CVE-2021-44228 & CVE-2021-45046.

 

We do not use Tableau Server, should I still take steps?

Yes, we recommend that you take appropriate steps for any Tableau products that you have in use within your organisation such as Desktop, Prep, Bridge or Public.

 

How can I prepare for a Tableau Server upgrade?

Tableau provides a flow chart describing the key steps in preparing for an upgrade to your servers. The help page for Windows servers can be found here, and for Linux servers can be found here.

 

What are the steps in performing a Tableau Server upgrade?

Tableau provides a flow chart describing the key steps in performing an upgrade to your servers. The help page for Tableau Server versions 2018.2 and above for Windows servers can be found here, and for Linux servers can be found here.

 

How can I troubleshoot a failed Tableau Server upgrade?

If you run into issues performing the upgrade you can refer to the steps for Troubleshooting Upgrades which can be found here for Windows servers, and here for Linux servers.

If an upgrade fails it can impact any subsequent upgrade attempt. In these situations it is possible to use Tableau’s Obliterate Script to remove the failed installation to allow you to perform a fresh install and restore. Documentation on the Obliterate Script can be found here for Windows server and here for Linux servers.

 
Important Note – ensure you have a safe copy saved in location separate from your Tableau environment for the data backup (backup.tsbak) and the configuration backup (settings.json) as well as any secondary files and user account details that are required to fully recover your system before initiating the upgrade or obliterate process.