Product Shortcuts

OfficeExpert

MarvelClient

iDNA Applications

ConnectionsExpert

SecurityInsider

Versions Compared

Old Version 50

changes.mady.by.user markus sablatnig [panagenda]

Saved on

compared with

New Version 51

changes.mady.by.user markus sablatnig [panagenda]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Update 2021-12-14: Another vulnerability related to Log4j has popped up: CVE-2021-4104. None of our products are vulnerable to this new CVE.
Update 2021-12-15: A third vulnerability, CVE-2021-45046, has been discovered. Some of our products are vulnerable. This CVE is only classed as a 3.7 out of 10, and can only be used to perform a DOS (denial-of-service) attack.
Update 2021-12-17: The above CVE-2021-45046 now had its severity level increased to 9, and also allows remote code execution. Still, Metabase says they are not using non default configurations, which makes it not vulnerable.


After the first vulnerability was published, we immediately started checking all our products for exposure to it. As was to be feared, many of our products use Log4j (or include third-party components that do), are therefore vulnerable, and need to be updated.

...

1) The fix releases in this column address CVE-2021-44228 both in our own code, and in Metabase.
2) The fix releases in this column address CVE-2021-45046 and are split in some cases. There are separate rows for cases where the older fix solves the issue in our code, but we are still waiting for a Metabase version so we can issue another releasea newer fix with an updated Metabase version is needed to fix it there. See also 3).
 3) To mitigate any remaining risk until a Metabase update comes, see info box "Regarding Metabase" below.

...

Note
titleRegarding Metabase

Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). Releases with this fix can be found in the left part of the table above. (column marked with 1) )

The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which no Metabase release is available yet. Metabase only recently released updates.
However: this newer CVE is far less critical, and according According to Metabase developers it should not even be affected by itthis CVE since Metabase doesn't use non default configurations. Still, we are waiting for a new Metabase version and will create new releases once it is available creating new releases with the updated version of Metabase just to be as safe as possible, but it will take a bit of time.

If you are uncomfortable with the unofficial Metabase developer statement regarding CVE-2021-45046, you can go with the release that fixes the problem in our code and manually turn off Metabase for now:

  • Connect to the appliance with ssh or putty

  • For GreenLight:

    Code Block
    docker stop gl_metabase

  • For OfficeExpert and iDNA Applications:

    Code Block
    docker stop panagenda_metabase

...