Workaround:
If you cannot upgrade immediately, then start Metabase with the Java property log4j2.formatMsgNoLookups=true to block certain Log4j functionality, which is cause of the vulnerability.
It is also recommend to start with this property even if you upgrade as it might prevent other unknown attacks.
JAR example: java ... -Dlog4j2.formatMsgNoLookups=true ... -jar metabase.jar
Docker example: docker run ... -e JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true" ...
=> do you have an estimate when we can expect a patch including log4j 2.16.0 ?
Also:
=> can you please confirm whether it is correct to add multiple system parameters, such as setting query caching besides disabling log4j Lookups, in the following form:
As @SetSails mentioned there is a 2nd vulnerability (CVE-2021-45046) that Apache suggest would be best resolved with an update to 2.16.0.
Additionally, on their advisory page, Apache also reports previously advised mitigations are no longer considered suitable:
Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10, or modifying the logging configuration to disable message lookups with %m{nolookups}, %msg{nolookups} or %message{nolookups} for releases >= 2.7 and <= 2.14.1.
The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar.
Are you able to provide an ETA for an update to log4j 2.16.0?
Hi Herve, as you can read in the Apache advisory page, the CVE-2021-45046 has a CVSS Score of 3.7 (Log4Shell has a CVSS score of 10) as it can only cause a DoS only if you use non-standard Log4j configuration. The Metabase server ships bundled with a standard logging configuration so we're not impacted with this vulnerability. Regarding the upgrade, we have already merged a pull request with the upgrade of the package (https://github.com/metabase/metabase/pull/19358), but it will be shipped in the next maintenance or major release due to the factors mentioned above.
@nico8 Try upgrading the latest release: https://github.com/metabase/metabase/releases/latest
Log4j 2.16.0 and 2.17.0 does not affect Metabase from all the testing we've done, which is why they are just released as dependency upgrades and without any advisory.
@ewing0 Metabase does not use the functionality which is vulnerable. It's like if you run a Windows Server and Microsoft issues a patch for some sub-system that you're not using and haven't enabled, then the patch likely makes no difference to you.
How should customers monitor when critical vulnerabilities like this exist? Ideally, we would get an email sent to the admin on our account? Is this, or another notification type, available?
@corey Our Enterprise customers were notified directly, as well as thousands of open source users via the newsletters (see bottom of our website).
Or you can subscribe to security advisories via https://github.com/metabase/metabase > click Watch in upper-right corner > Custom > select Security alerts.