Security Advisory - March 23

Ryan Carrie shared this announcement 2 months ago

Yellowfin Security Fixes & Enhancements - [9.5.1, 8.0.9]

Yellowfin has released 9.5.1 and 8.0.9, available to download through the Yellowfin portal.  These versions contain a number of Security Fixes and Enhancements, listed below.  All Yellowfin users or admins are urged to review the following changelog and plan their upgrade at the earliest.  Please consider our best practices for a Yellowfin upgrade.

Fixes include improvements to Dashboard Approval Processes, XSS remediation, dependency upgrades, and an upgrade to the encryption algorithm used by Yellowfin to store secrets.

Security Changelog

Upgrade Tomcat to 9.0.43 for new installs of the application
Resolved an issue which would allow inactive users to access Yellowfin via the REST API.
Improved security in the dashboard approvals process
Reinforced security in the dashboard approvals workflow.
Upgraded Jackson Databind libraries to 2.12.1.
Resolved a potential XSS (cross-site scripting) vulnerability within the Datasource Name field when creating some types of data sources.
Resolved a potential XSS (cross-site scripting) vulnerability within the local time code parameter on the Broadcast Management Page.
Resolved a security issue with BroadcastAjaxAction (in YF9).
Resolved a security issue with the subscribeBroadcast action in IReportOutputAjax.i4 (in YF8).
Added a security check to ensure that PDF export cannot be performed without the required role function.
Upgraded commons-io from 2.2 to 2.8.0 to prevent security issues.
Added a nonce to every application request to prevent duplicate submissions.
Resolved an issue with some internal AJAX calls that would cause the responses to strip security headers.
Upgraded internal two-way encryption to AES 256 with GCM, from Triple DES.

Please visit the Yellowfin Portal to access these releases and subscribe to announcements via RSS to receive notifications on these announcements.

Contact security@yellowfin.bi with any responsible disclosure submissions or the Yellowfin Support Team with any questions or concerns.