What's impacted by the Apache Log4j2 Vulnerability?
- All Tableau products are impacted by the vulnerability.
- ❗ Tableau's on-premise software needs to be updated as quickly as possible.
- ✅ Tableau Online is maintained & patched by Tableau according to the official sources.
On Friday December 10, 2021 after CVE-2021-44228 was disclosed, Fivetran’s Engineering and AppSec teams reviewed the Fivetran services to determine if Log4j was used anywhere in our services. This review determined that Log4j is not used by Fivetran’s core services and customer data remains secure.
Actions to be Taken
Patches for Tableau Server and other on-premise products have been released.
- Tableau announcement on the community.
- Tableau Releases page.
All customers should download and install these updates, patched versions as soon as possible. These releases apply to versions 2020.4 through 2021.4. If you're using an older version of Tableau, you must upgrade to one of these more recent versions.
Update: in the light of multiple vulnerabilities having been identified, two subsequent releases of Tableau software have taken place:
- On December 15th 2021 for CVE-2021-44228.
- On December 19th 2021 for CVE-2021-44228 and CVE-2021-45046.
If your latest update is the December 15, 2021 release or prior, if it advised to take steps to mitigate both vulnerabilities by updating to the very latest version.
Optionally, to allow for some time to roll out the upgrade, one can consider following Tableau's official mitigation steps as a temporary measure until ready to upgrade to a patched version.
CVE-2021-44228 (also known as the Apache Log4j2 Vulnerability).
Fivetran updates: see official statement above