Urgent Security Upgrade for Metabase

flamber · December 14, 2021, 11:19am

This is urgent security advisory about a vulnerability in the library Log4j, which Metabase uses.

You should upgrade immediately!

If you are a Metabase Cloud customer, you don't need to do anything as your instance has already been patched.

Affected versions: any x.37.x, below x.38.6, below x.39.7, below x.40.7, below x.41.4

Patched versions:

Workaround:
If you cannot upgrade immediately, then start Metabase with the Java property log4j2.formatMsgNoLookups=true to block certain Log4j functionality, which is cause of the vulnerability.
It is also recommend to start with this property even if you upgrade as it might prevent other unknown attacks.

JAR example: java ... -Dlog4j2.formatMsgNoLookups=true ... -jar metabase.jar
Docker example: docker run ... -e JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true" ...

Reference: https://github.com/metabase/metabase/security/advisories/GHSA-vmm4-cwrm-38rj

flamber · December 15, 2021, 9:39am

2 posts were split to a new topic: Question about Log4j

SetSails · December 15, 2021, 1:05pm

Hi guys,

thank you for the update!

According to Apache further vulnerabilities have been identified which have been fixed in 2.16.0

From what I can tell the updates underlying your post here are in reference to you updating to 2.15.0 which closed an initial set of vulnerabilities.

More info here: https://logging.apache.org/log4j/2.x/security.html

=> do you have an estimate when we can expect a patch including log4j 2.16.0 ?

Also:
=> can you please confirm whether it is correct to add multiple system parameters, such as setting query caching besides disabling log4j Lookups, in the following form:

java -DMB_QUERY_CACHING_MAX_TTL=14400 -Dlog4j2.formatMsgNoLookups=true -jar metabase.jar

Thank you very much & Best Regards
Fabian

flamber · December 15, 2021, 1:13pm

@SetSails Read this: https://github.com/metabase/metabase/issues/19371
Yes, that's how you add multiple Java parameters.

herve · December 15, 2021, 11:05pm

Thx for the update @flamber !

As @SetSails mentioned there is a 2nd vulnerability (CVE-2021-45046) that Apache suggest would be best resolved with an update to 2.16.0.

Additionally, on their advisory page, Apache also reports previously advised mitigations are no longer considered suitable:

Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.

The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.

Are you able to provide an ETA for an update to log4j 2.16.0?

Thanks heaps for all your work!

Luiggi · December 15, 2021, 11:30pm

Hi Herve, as you can read in the Apache advisory page, the CVE-2021-45046 has a CVSS Score of 3.7 (Log4Shell has a CVSS score of 10) as it can only cause a DoS only if you use non-standard Log4j configuration. The Metabase server ships bundled with a standard logging configuration so we're not impacted with this vulnerability. Regarding the upgrade, we have already merged a pull request with the upgrade of the package (https://github.com/metabase/metabase/pull/19358), but it will be shipped in the next maintenance or major release due to the factors mentioned above.

charty · December 16, 2021, 12:00am

Hi @Luiggi ,

It appears Log4j 2.15.0 is still vulnerable to data exfiltration.

Please consider expediting the release which contains the merged upgrade to 2.16.0!

Thank you

Luiggi · December 16, 2021, 8:59pm

Hi @charty, although that CVE has not been recognized yet by the team in Log4j, we have just released 41.5 with Log4j 2.16.

nico8 · December 21, 2021, 8:18am

Hi folks,

Seems that log4j 2.16 has still a security flaw
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105

Is Metabase concerned and need a new upgrade ?

Nicolas

flamber · December 21, 2021, 9:12am

@nico8 Try upgrading the latest release: https://github.com/metabase/metabase/releases/latest
Log4j 2.16.0 and 2.17.0 does not affect Metabase from all the testing we've done, which is why they are just released as dependency upgrades and without any advisory.

ewing0 · January 6, 2022, 5:55pm

Hi, is there any concern for CVE-2021-44832? Would also like to know when CVE-2021-45105 will be patched in the next release. Thank you.

flamber · January 6, 2022, 6:11pm

@ewing0 No, CVE-2021-44832 and CVE-2021-45105 does not affect Metabase. The Log4j dependency will be upgraded in next release coming in January.

ewing0 · January 6, 2022, 6:31pm

Sorry, please help me understand, if log4j is a dependency in metabase, how is metabase not affected? Is log4j installed, but not being used? Thanks

flamber · January 6, 2022, 6:35pm

@ewing0 Metabase does not use the functionality which is vulnerable. It's like if you run a Windows Server and Microsoft issues a patch for some sub-system that you're not using and haven't enabled, then the patch likely makes no difference to you.

corey · January 7, 2022, 8:39pm

How should customers monitor when critical vulnerabilities like this exist? Ideally, we would get an email sent to the admin on our account? Is this, or another notification type, available?

flamber · January 7, 2022, 8:48pm

@corey Our Enterprise customers were notified directly, as well as thousands of open source users via the newsletters (see bottom of our website).
Or you can subscribe to security advisories via https://github.com/metabase/metabase > click Watch in upper-right corner > Custom > select Security alerts.