An update on the Apache Log4j2 vulnerability

Editor’s note: updated as of December 19, 2021 at 8:00pm PT

Tableau has been investigating the security issue associated with the Java-based logging utility, Apache Log4j2. We want to thank our customers for your patience and trust—our team is working around the clock to address the vulnerability because your security is our top priority.

As we continue to share technical resources, we want to ensure that everyone is informed of actions they can take to enhance their security postures. The following is our latest status update:

In order to address the current security vulnerabilities in CVE-2021-44228 and CVE-2021-45046, please update to the newest version of on-premise products.

What’s happening now

As of December 19, 2021, we have released a product update for all currently impacted versions of Tableau products to address the CVE-2021-44228 and CVE-2021-45046 vulnerabilities. Status for Tableau Online may be found on the Salesforce trust post.

If your latest update is the December 15, 2021 release or prior, please take the steps to mitigate both CVE-2021-44228 and CVE-2021-45046 vulnerabilities found in our Apache Log4j2 vulnerability (Log4shell) knowledge base article.

IMPORTANT NOTE: The steps provided in this article should not be used if you have updated to the December 19, 2021 release.

For a running history of our status updates, refer to the What’s been happing section below.

Useful resources

  • For those who have not updated their products or have updated to the December 15, 2021, product release, please see the Apache Log4j2 vulnerability (Log4shell) Knowledge Base article. This article contains steps that can be taken to mitigate both CVE-2021-44228 and CVE-2021-45046.
  • To stay up-to-date about this incident, please follow the Salesforce Trust post.
  • If you have a technical question, please reach out to our support team who will be happy to help by creating a case.

What’s been happening

December 18:

  • We are aware of today’s public disclosure of CVE-2021-45105.  Based on currently available information, we have determined that Tableau products are not affected by CVE-2021-45105.  
  • For those who have not updated their products to the December 15, 2021, product release, we have made new updates to our Knowledge Base article with steps that can be taken to mitigate both CVE-2021-44228 and CVE-2021-45046.
  • Updates will be posted to status.salesforce.com as additional information becomes available.  If Tableau becomes aware of unauthorized access to customer data, we will notify impacted customers without undue delay.

December 17:

  • We are aware of recent updates Apache made to CVE-2021-45046 and are investigating Apache’s findings. Our initial analysis indicates Tableau products are not affected by the new details Apache disclosed within CVE-2021-45046. We recognize that this is a fluid situation, as we continue to monitor with the highest levels of urgency. We will keep you updated as the incident dictates.
  • Tableau continues to actively work on a maintenance release that will update Log4j to version 2.16. We will let you know as soon as it becomes available.
  • At this time, we recommend updating to the December 15, 2021, maintenance release which addresses CVE-2021-44228.
  • ​​​​​​​For those who have not started the update process to the December 15, 2021, product release, we have also updated our Knowledge Base article with steps that can be taken to mitigate both CVE-2021-44228 and CVE-2021-45046. These steps either remove or replace the vulnerable JNDI class entirely.
  • As always you can reference the Salesforce Trust post for the latest updates. We will provide updates as more information becomes available. If Tableau becomes aware of unauthorized access to customer data, we will notify impacted customers without undue delay.

December 16:

  • As of December 15, 2021 we have updated all vulnerable versions of Log4j2 to address CVE-2021-44228. The latest versions of Tableau can be found on our release notes page
  • There may be diagnostic or auxiliary components still remaining in these releases that have not updated Log4j2 to an unaffected version. We have mitigated these outstanding components with configuration changes that disable the vulnerable JNDI lookup functionality. To address the recently disclosed CVE-2021-45046, Tableau is working on an additional patch that will remove the remaining components altogether. 

December 15:

  • As of December 15, 2021 we have updated all vulnerable versions of Log4j2 to address CVE-2021-44228. The latest versions of Tableau can be found on our release notes page
  • There may be diagnostic or auxiliary components still remaining in these releases that have not updated Log4j2 to an unaffected version. We have mitigated these outstanding components with configuration changes that disable the vulnerable JNDI lookup functionality. To address the recently disclosed CVE-2021-45046, Tableau is working on an additional patch that will remove the remaining components altogether. 
  • CVE-2021-45046 is deemed a low-impact item with a 3.7 CVSS score as this CVE only applies to specific logging configurations. We are currently working on a release which will resolve the issues presented by CVE-2021-45046.

We appreciate your trust in us as we continue to make your security our top priority.

Subscribe to our blog