A widely used Java-based utility—log4j—has made news around the world and has caused cybersecurity experts to throw caution toward large organizations. Now is the time to pay attention.

In case you haven’t heard about the widespread log4j vulnerabilities, most experts are calling this the biggest exposure(s) in the history of the internet. According to Jen Easterly, director of Cybersecurity and Infrastructure Security Agency (CISA), “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.

The data and analytics ecosystem is certainly also affected. If the vulnerabilities are not addressed, hackers could tap into computer servers, applications, and devices—accessing an organization’s data and analytics. Two things you can immediately do include:

  1. If you are self-hosting any affected software (see list below), we recommend removing any internet-facing applications and immediately remediating the situation.
  2. If you use any affected cloud/SaaS/multitenant software that does not automatically use the most current version, we recommend contacting the vendor immediately to update to the newest remediated version.

How These logj4 Vulnerabilities Affect Data and Analytics Tools’ Exposure

As of Jan. 14, 2022, here’s a summary of Analytics8’s understanding of data and analytics tools’ exposure.

Note: Custom configurations or custom builds – especially those involving custom logging – may introduce vulnerabilities. The lists below assume default configurations.

Cloud / SaaS / Multitenant

Vulnerable:

  • Non-supported versions of Looker (i.e. NOT versions 21.0, 21.6, 21.12, 21.16, 21.18, or 21.20)

Vulnerable, remediation identified but not yet fully implemented:

  • None known

No longer vulnerable:

  • Salesforce
    • Sales Cloud
    • Service Cloud
    • B2C Commerce Cloud
    • Force.com
    • Data.com
    • Community Cloud
    • Mulesoft Cloud
    • Datorama
    • Pardot
    • Einstein
  • Slack
  • Looker 21.0, 21.6, 21.12, 21.16, 21.18, 21.20
  • Tableau Online

Never Vulnerable / Not Affected:

  • Snowflake
  • dbt Cloud
  • Microsoft Power BI
  • Fivetran

Unknown:

  • Birst

On-Prem / Self-hosted

Vulnerable with no known remediation:

  • Birst self-hosted

Vulnerable with remediation available:

  • Self-hosted versions of Looker
  • Tableau family of products
  • Qlik
    • GeoAnalytics
    • GeoAnalytics Plus
    • Compose for Data Lakes version 6.6
    • Compose for Data Warehouses versions 6.6, 6.6.1, 7.0
    • Compose versions 2021.2, 2021.5, 2021.8
    • Enterprise Manager versions 6.6, 7.0, 2021.5, 2021.11
    • Replicate versions 6.6, 7.0, 2021.5, 2021.11
    • Qlik Catalog – May 2021 release and onward
  • Mulesoft self-hosted
  • Matillion family of products
  • SAP Business Objects family of products

Never Vulnerable / Not Affected:

  • dbt self-hosted
  • Microsoft Power BI – all products
  • Qlik – all products NOT listed above
  • UniverseBridge
  • QlikMaps

If anything reported is in error, please let us know! As we learn more, we will keep this post updated.

Patrick Vinton Patrick oversees R&D and is responsible for the technical direction of Analytics8. When he's not working, he's probably playing with his 2 sons. If the kids are with the babysitter, he's sharing a bottle of wine with his wife while binging on Netflix - probably a documentary or historical drama.
Subscribe to

The 8 Update

Sign up to receive our monthly newsletter, and get the latest insights, tips, advice.

Thank You!