KNOWLEDGE BASE

Apache Log4j2 vulnerability (Log4shell) - Tableau Prep Builder Mitigation Steps


Published: 19 Dec 2021
Last Modified Date: 25 Jan 2022

Issue

Recently disclosed vulnerabilities allow for remote code execution in products that use the Log4j Apache library

Environment

The following product versions or lower have been identified as affected:
  • Tableau Prep Builder 2021.4.1, 2021.3.2, 2021.2.2, 2021.1.4, 2020.4.1, 2020.3.3, 2020.2.3, 2020.1.5, 2019.4.2, 2019.3.2, 2019.2.3, 2019.1.4, 2018.3.3

Resolution

Option 1: Update Tableau

For customers with active maintenance, if you have not updated from an impacted version (any product release prior to December 15, 2021), or have updated to the December 15, 2021 product release, please update to one of the newer releases.


The December 15, 2021 Tableau Product releases updated the Log4j2 files to version 2.15. There may be diagnostic or auxiliary components still remaining. We have mitigated these outstanding components with configuration changes that disable the vulnerable JNDI lookup functionality.

The December 19, 2021 Tableau Product release, has integrated the Log4j 2.16 release, which disables JNDI Lookup by default. This action addresses both CVE-2021-44228 & CVE-2021-45046.

By updating to the product release from Dec 19, 2021, you are addressing the security issues currently identified in CVE-2021-44228 & CVE-2021-45046.

 

    Option 2: Please execute the mitigation steps detailed in Option 2 if:

    • You have updated to the product release from December 15, 2021, and cannot update to a newer release (out of maintenance, outside of a company update window, etc.).
    • You are on an impacted version (any product version released prior to December 15, 2021) and cannot update to a newer release.
    • This is only for supported versions 2020.1 and newer
    • In order to fully mitigate the security issues identified in  CVE-2021-44228 & CVE-2021-45046, update to Dec. 19, 2021 product release.

    Tableau Prep Builder- Windows

    1. Open a PowerShell admin command prompt and run the following commands:
    2. Disable ReadOnly on each .jar:

    a. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\lib\tableau-prep-cli.jar' -Name IsReadOnly -Value $false

    b. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\resources\app\tableau-1.3\build\Release-x64\jdbcserver.jar' -Name IsReadOnly -Value $false

    c. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\resources\app\tableau-1.3\build\Release-x64\oauthservice.jar' -Name IsReadOnly -Value $false 

    3. Remove the JndiLookup.class from the jars. Note, replace C:\<pathTo7zip\7z with the install location of 7zip on your computer:

    Get-ChildItem -path 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3' -recurse -filter "*.jar" | Where-Object { $_.Name } | %{C:\<pathTo7zip\7z d $_.FullName *JndiLookup.class -r } 

    4. Set each .jar back to Read Only:

    a. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\lib\tableau-prep-cli.jar' -Name IsReadOnly -Value $true

    b. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\resources\app\tableau-1.3\build\Release-x64\jdbcserver.jar' -Name IsReadOnly -Value $true

    c. Set-ItemProperty 'C:\Program Files\Tableau\Tableau Prep Builder 2021.3\resources\app\tableau-1.3\build\Release-x64\oauthservice.jar' -Name IsReadOnly -Value $true
     

    Verification Necessary Files Have Been Removed:
    1) Re-run all the above steps in order.
    2) If the output of the command to remove the JndiLookup.class files (step 3) does not contain a “Delete data from archive” line item when you repeat this step, the class is no longer present and these mitigation steps can be considered complete. 

    Example:
    When the file is removed for the first time, there will be a “Delete data from archive line item” present:

    The second time the commands are executed, the “Delete data from archive” line item will not be present:

     

    Tableau Prep Builder- Mac

    1. sudo zip -d '/Applications/Tableau Prep Builder 2021.4.app/Contents/lib/tableau-prep-cli.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class


    2. sudo zip -d '/Applications/Tableau Prep Builder 2021.4.app/Contents/lib/tableau-prep-cli.jar' io/sentry/config/JndiLookup.class

    3. sudo zip -d '/Applications/Tableau Prep Builder 2021.4.app/Contents/Resources/app/tableau-1.3/build/Release/oauthservice.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class

    4. sudo zip -d '/Applications/Tableau Prep Builder 2021.4.app/Contents/Resources/app/tableau-1.3/build/Release/jdbcserver.jar' org/apache/logging/log4j/core/lookup/JndiLookup.class
     

    NOTE: If you receive either of the following error messages, the Log4j class file does not exist and the mitigation is complete. Example:

    zip warning: name not matched: org/apache/logging/log4j/core/lookup/JndiLookup.class

    zip error: Nothing to do! (/Applications/Tableau Prep Builder 2020.1.app/Contents/Resources/oauthservice.jar)


     
    Did this article resolve the issue?