Page History
...
Update 2021-12-14: Another vulnerability related to Log4j has popped up: CVE-2021-4104. None of our products are vulnerable to this new CVE.
Update 2021-12-15: A third vulnerability, CVE-2021-45046, has been discovered. Some of our products are vulnerable. This CVE is only classed as a 3.7 out of 10, and can only be used to perform a DOS (denial-of-service) attack.
Update 2021-12-17: The above CVE-2021-45046 now had its severity level increased to 9, and also allows remote code execution. Still, Metabase says they are not using non default configurations, which makes it not vulnerable.
Update 2021-12-19: Another Log4j exploit has been reported: CVE-2021-45105. Apache classes it as a 7.5, it can be used to execute a DOS attack.
...
Product | CVE-2021-44228 | Fix Status | Fix Release 1) | CVE-2021-45046 / CVE-2021-45105 | Fix Status | Fix Release 2) | How To Upgrade | ||
---|---|---|---|---|---|---|---|---|---|
ApplicationInsights | vulnerable - fix available | released - Dec 14 | 1.6.3 | vulnerable - fix available | released - Dec 14 | 1.6.3 | Upgrade ApplicationInsights (≥ v1.5.1) | ||
ConnectionsExpert 2.x | vulnerable - fix available | released - Dec 15 | 2.1.3 | vulnerable - fix available | released - Dec 15 | 2.1.3 | Upgrade ConnectionsExpert (> v2.0) | ||
ConnectionsExpert 3.x | vulnerable | released - Dec 16 | 3.1.3 | vulnerable | released - Dec 16 | 3.1.3 | Upgrade ConnectionsExpert (> v2.0) | ||
GreenLight | vulnerable - fix available | released - Dec 15 | 4.5.0 | vulnerable - fix available | released - Dec 15 | Upgrading GreenLight - only for >=3.5.x | |||
Metabase potentially vulnerable 3) | waiting for Metabase | 4.5.1 | |||||||
iDNA | vulnerable | released - Dec 16 | 2.11.1 | vulnerable | released - Dec 16 | 2.11.1 | Please contact support - all customers should be migrated to iDNA Applications already. | ||
iDNA Applications | vulnerable - fix available | released - Dec 13 | 2.1.2 | vulnerable - fix available | released - Dec 13 | 2.1.2 | Upgrading iDNA Applications | ||
Metabase potentially vulnerable 3) | waiting for Metabase | 2.2.0 | |||||||
MarvelClient | safe | safe | |||||||
OfficeExpert | vulnerable - fix available | released - Dec 14 | 4.3.3 | vulnerable - fix available | released - Dec 14 | 4.3.3 | Upgrading OfficeExpert | ||
Metabase potentially vulnerable 3) | waiting for Metabase | 4.3.4 | |||||||
OfficeExpert EPM | safe | safe | |||||||
SecurityInsider / GroupExplorer | safe | safe | |||||||
SmartChanger | safe | safe | |||||||
Document Properties Plugin | safe | safe | |||||||
LogViewer Plugin | safe | safe | |||||||
Network Monitor Plugin | safe | safe | |||||||
PrefTree Plugin | safe | safe | |||||||
Tabzilla Plugin | safe | safe | |||||||
Timezone Helper Plugin | safe | safe |
1) The fix releases in this column address CVE-2021-44228 both in our own code, and in Metabase.
2) The fix releases in this column address CVE-2021-45046 and are split in CVE-2021-45105. In some cases . There there are separate rows for cases where the older fix solves the issue in our code, but a newer fix with an updated Metabase version is needed to fix it there. See also 3).
3) To mitigate any remaining risk until we release a version with the updated Metabase release, see info box "Regarding Metabase" below.
...
Note | ||||
---|---|---|---|---|
| ||||
Metabase includes Log4j and is vulnerable to CVE-2021-44228. For a first fix we update to Metabase 0.40.7 (which includes Log4j 2.15.0 and protects from the remote code execution exploit). Releases with this fix can be found in the left part of the table above. (column marked with 1) ) The more recently discovered CVE-2021-45046 requires Log4j 2.16.0 for which Metabase only recently released updates.
|
...