In case you haven’t heard about the widespread log4j vulnerabilities, most experts are calling this the biggest exposure(s) in the history of the internet. According to Jen Easterly, director of Cybersecurity and Infrastructure Security Agency (CISA), “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.”The data and analytics ecosystem is certainly also affected. If the vulnerabilities are not addressed, hackers could tap into computer servers, applications, and devices—accessing an organization’s data and analytics. Two things you can immediately do include:If you are self-hosting any affected software (see list below), we recommend removing any internet-facing applications and immediately remediating the situation.If you use any affected cloud/SaaS/multitenant software that does not automatically use the most current version, we recommend contacting the vendor immediately to update to the newest remediated version.How These logj4 Vulnerabilities Affect Data and Analytics Tools’ Exposure As of Jan. 14, 2022, here’s a summary of Analytics8’s understanding of data and analytics tools’ exposure.Note: Custom configurations or custom builds – especially those involving custom logging – may introduce vulnerabilities. The lists below assume default configurations.Cloud / SaaS / MultitenantVulnerable:Non-supported versions of Looker (i.e. NOT versions 21.0, 21.6, 21.12, 21.16, 21.18, or 21.20)Vulnerable, remediation identified but not yet fully implemented:None knownNo longer vulnerable:SalesforceSales CloudService CloudB2C Commerce CloudForce.comData.comCommunity CloudMulesoft CloudDatoramaPardotEinsteinSlackLooker 21.0, 21.6, 21.12, 21.16, 21.18, 21.20Tableau OnlineNever Vulnerable / Not Affected:Snowflakedbt CloudMicrosoft Power BIFivetranUnknown:BirstOn-Prem / Self-hostedVulnerable with no known remediation:Birst self-hostedVulnerable with remediation available:Self-hosted versions of LookerTableau family of productsQlikGeoAnalyticsGeoAnalytics PlusCompose for Data Lakes version 6.6Compose for Data Warehouses versions 6.6, 6.6.1, 7.0Compose versions 2021.2, 2021.5, 2021.8Enterprise Manager versions 6.6, 7.0, 2021.5, 2021.11Replicate versions 6.6, 7.0, 2021.5, 2021.11Qlik Catalog – May 2021 release and onwardMulesoft self-hostedMatillion family of productsSAP Business Objects family of productsNever Vulnerable / Not Affected:dbt self-hostedMicrosoft Power BI – all productsQlik – all products NOT listed aboveUniverseBridgeQlikMapsIf anything reported is in error, please let us know! As we learn more, we will keep this post updated.
