Page History
...
1) The fix releases in this column address CVE-2021-44228 both in our own code, and in Metabase.
2) The fix releases in this column address CVE-2021-45046 and are split in some cases. There are separate rows for cases where the older fix solves the issue in our code, but we are still waiting for a Metabase version so we can issue another release. See also 3).
3) See To mitigate any remaining risk until a Metabase update comes, see info box "Regarding Metabase" below.
| Note | ||||
|---|---|---|---|---|
| ||||
Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). Releases with this fix can be found in the left part of the table above. (column marked with 1) ) The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet. If you are uncomfortable with the unofficial Metabase developer statement regarding CVE-2021-45046, you can manually turn off Metabase for now:
|
...
We are currently in the process of creating new releases that contain the necessary fixes. Releases for some products are already out, and we are releasing the rest as fast as safely possible. Progress will be tracked in this knowledge base article. You can also follow our corresponding blog post.
You will need to update any products that are affected. The releases in the left part of the table (column marked with 1) ) are the important update to protect you against the more severe CVE and should be applied ASAP.
Our service and support teams are in the process of contacting all our customers to answer questions and help where needed. Please send requests and questions to support@panagenda.com
...