Last Modified Date: 30 Jan 2022
Environment
The following product versions or lower have been identified as affected:- Tableau Desktop 2021.4, 2021.3.4, 2021.2.5, 2021.1.8, 2020.4.11, 2020.3.14, 2020.2.19, 2020.1.22, 2019.4.25, 2019.3.26, 2019.2.29, 2019.1.29, 2018.3.29
- Tableau Public Desktop Client 2021.4
Resolution
Option 1: Update Tableau
For customers with active maintenance, if you have not updated from an impacted version (any product release prior to December 15, 2021), or have updated to the December 15, 2021 product release, please update to one of the newer releases:
The December 15, 2021 Tableau Product releases updated the Log4j2 files to version 2.15. There may be diagnostic or auxiliary components still remaining. We have mitigated these outstanding components with configuration changes that disable the vulnerable JNDI lookup functionality.
- Tableau Desktop 2021.4.1, 2021.3.5 2021.2.6, 2021.1.9, 2020.4.12
The December 19, 2021 Tableau Product releases, have integrated the Log4j 2.16 release, which disables JNDI Lookup by default. This action addresses both CVE-2021-44228 & CVE-2021-45046.
- Tableau Desktop 2021.4.2+, 2021.3.6+, 2021.2.7+, 2021.1.10+, 2020.4.13+
By updating to the product releases from December 19, 2021, you are addressing the security issues currently identified in CVE-2021-44228 & CVE-2021-45046.
Option 2: Please execute the mitigation steps detailed in Option 2 if:
- You have updated to the product release from December 15, 2021, and cannot update to a newer release (out of maintenance, outside of a company update window, etc.).
- You are on an impacted version (any product version released prior to December 15, 2021) and cannot update to a newer release.
- This is only for supported versions 2020.1 and newer.
Tableau Desktop - Windows
1. Download and install 7-zip to c:\7zip
2. Open an administrative PowerShell Window
3. Change directory to your Tableau Desktop bin directory. By default C:\Program Files\Tableau\Tableau <version>\bin
cd "C:\Program Files\Tableau\Tableau <version>\bin"
4. Disable ReadOnly on jdbcserver.jar
Set-ItemProperty jdbcserver.jar -Name IsReadOnly -Value $false
5. Disable ReadOnly on oauthservice.jar
Set-ItemProperty oauthservice.jar -Name IsReadOnly -Value $false
6. Remove the JndiLookup.class from jdbcserver
c:\7zip\7z d jdbcserver.jar org/apache/logging/log4j/core/lookup/JndiLookup.class -r
7. Remove the JndiLookup.class from oauthservice
c:\7zip\7z d oauthservice.jar org/apache/logging/log4j/core/lookup/JndiLookup.class -r
8. Re-enable ReadOnly on jdbcserver.jar
Set-ItemProperty jdbcserver.jar -Name IsReadOnly -Value $true
9. Re-enable ReadOnly on oauthservice.jar
Set-ItemProperty oauthservice.jar -Name IsReadOnly -Value $true
10. Change directory to your Tableau Desktop bin32 directory. By default C:\Program Files\Tableau\Tableau <version>\bin32
cd "C:\Program Files\Tableau\Tableau <version>\bin32"
11. Disable ReadOnly on jdbcserver.jar
Set-ItemProperty jdbcserver.jar -Name IsReadOnly -Value $false
12. Disable ReadOnly on oauthservice.jar
Set-ItemProperty oauthservice.jar -Name IsReadOnly -Value $false
13. Remove the JndiLookup.class from jdbcserver
c:\7zip\7z d jdbcserver.jar org/apache/logging/log4j/core/lookup/JndiLookup.class -r
14. Remove the JndiLookup.class from oauthservice
c:\7zip\7z d oauthservice.jar org/apache/logging/log4j/core/lookup/JndiLookup.class -r
15. Re-enable ReadOnly on jdbcserver.jar
Set-ItemProperty jdbcserver.jar -Name IsReadOnly -Value $true
16. Re-enable ReadOnly on oauthservice.jar
Set-ItemProperty oauthservice.jar -Name IsReadOnly -Value $true
The JdniLookup.class files should now be removed from all .jar files in the Tableau Desktop version for which these instructions were performed.
Verification Necessary Files Have Been Removed:
1) Re-run all the above steps in order.
2) If the outputs of the commands to remove the JndiLookup.class files (steps 6, 7, 13, and 14) do not contain a “Delete data from archive” line item when you repeat this step, the class is no longer present and these mitigation steps can be considered complete.
Example:
When the file is removed for the first time, there will be a “Delete data from archive line item” present:
The second time the commands are executed, the “Delete data from archive” line item will not be present:
Tableau Desktop - MacOS
NOTE: The instructions below assume the default install path of /Applications/Tableau Desktop <version>.app. The commands below are for 2020.1 and newer.
1. sudo zip -d '/Applications/Tableau Desktop 2020.4.app/Contents/Resources/oauthservice.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class
2. sudo zip -d '/Applications/Tableau Desktop 2020.4.app/Contents/Resources/jdbcserver.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class
NOTE: If you receive either of the following error messages, the Log4j class file does not exist and the mitigation is complete.
NOTE: If you receive either of the following error messages, the Log4j class file does not exist and the mitigation is complete.
- zip warning: name not matched: org/apache/logging/log4j/core/lookup/JndiLookup.class
- zip error: Nothing to do! (/Applications/Tableau Desktop 2020.1.app/Contents/Resources/oauthservice.jar)
Cause
Security vulnerabilities CVE-2021-44228 & CVE-2021-45046 in Apache Log4j 2 library.Additional Information
Thank you for providing your feedback on the effectiveness of the article.
Open new Case
Continue Searching
Knowledge Base
Community
Product Help
Training and Tutorials