Log4J Zero Day on Metabase

Today I read this article https://www.lunasec.io/docs/blog/log4j-zero-day/

And check this on Metabase Website https://www.metabase.com/docs/latest/operations-guide/log-configuration.html

Metabase is using log4j 2 under the hood. Is there a thing that we could do to mitigate the vulnerability ?

There's already a patch. :slight_smile: https://github.com/metabase/metabase/releases/tag/v0.41.4

2 Likes

Thank You

Is there a patch for the metabase-enterprise docker container? https://hub.docker.com/r/metabase/metabase-enterprise/tags

If so, which version?

@nlf Yes, read which versions are patched here:
https://github.com/metabase/metabase/security/advisories/GHSA-vmm4-cwrm-38rj
Link to all releases for all editions: https://github.com/metabase/metabase/releases

Hello,
What are the versions of Metabase that were affected by the log4j vulnerability ?
Thanks

@benoitg Click this link: https://github.com/metabase/metabase/security/advisories/GHSA-vmm4-cwrm-38rj
Every version since 37.0.

1 Like

@flamber based from this article, we need to patch the log4j2 again. Because the previous patch is not valid

@kadekjati It is a CVE score 3.7 - and requires non-standard log configuration.
Follow this: https://github.com/metabase/metabase/issues/19371

based on this, where are those log files defaulty stored? I want to see if i can delete those, but i don't find any logfiles on the location where the metabase JAR file is located?
I run them locally with Java.

@timothyv I don't understand your question. The problem is not "log files", but an entire library and now custom configurations too.
There are no log files unless you have added that manually to the Log4j configuration or via something like syslog:
https://www.metabase.com/docs/latest/operations-guide/running-metabase-on-debian.html
https://www.metabase.com/docs/latest/operations-guide/log-configuration.html

Hi,

I'm still unclear as to which versions are affected due the usage of "below" :

What does "below" mean in this context? For example, version 33 is below x.38.6 and the rest. Is it affected?

@markd Why are you posting a screenshot of the topic Urgent Security Upgrade for Metabase here, instead of asking the question there?

If you're using 33, then there are several other vulnerabilities, so you should upgrade.
But anything below x.37.0 uses Log4jv1, so while they are not directly known to be exploitable, there are other known vulnerabilities in Log4jv1, which will not be addressed, since it's out-of-date.

In other words; Upgrade if you are using a release older than December 10th 2021.

@flamber, sorry, I didn't realize you could respond there, should have scrolled to the bottom.

But thanks for the prompt info. Yes, will will upgrade as soon as possible.

Best regards,
Mark

How should customers best track when vulnerabilities like this exist? Ideally, customers get notified via a push notification or email to alert them. If this exists, can someone point to how to sign up for these alerts?

@corey Our Enterprise customers were notified directly, as well as thousands of open source users via the newsletters (see bottom of our website).
Or you can subscribe to security advisories via https://github.com/metabase/metabase > click Watch in upper-right corner > Custom > select Security alerts.