Yellowfin uses Apache Struts! Am I at risk of suffering a breach like Equifax?
September 15th, 2017
As of the time of this writing, there is no official release of breach details from the Equifax Security Team. If you're reading this article, you've likely read one of the speculating articles pointing towards Apache Struts as a possible breach point. While I'm not discounting these hypotheses, this information likely won't be available for some time.
With that being said, in the ever-evolving security landscape of the digital world, we are continuously working to refine our vulnerability monitoring process. As always, if you have concern about any particular vulnerabilities flagged in security scans, or with particular libraries, don't hesitate to submit a Support ticket expressing your concern or asking for information!
There has been a lot of talk about Apache Struts being the attack vector leveraged during the Equifax breach. I've written a brief statement regarding Yellowfin's use of this library, which you can review here. While there's no official statements regarding particular CVE's, we continue to field these on a case by case basis determined by whether it impacts our application.
How can I help increase my security stance?
The biggest point I can make here is: update, update, update! We release monthly patches to our major versions, containing defect fixes, enhancements, and library updates. If you let yourself fall behind on updates, you may be leaving older library versions in play. We have an article on the best practices regarding a Yellowfin update, I highly suggest you review the article and develop an update plan.
Configure HTTPS to encrypt your authentication to Yellowfin. This will help protect user credentials from being intercept by sniffing or man in the middle attacks.
Encrypt traffic between Yellowfin and your RDBMS. This can be done for both data sources and the configuration database. As this process may vary between RDBMS types, some independent research will have to be done. If you have issues with a particular step don't hesitate to submit a support ticket.
Password Policies and credentials. Change the default credentials! Yellowfin has a configurable password policy. This can be accessed via 'Administration' > 'Configuration' > Padlock Icon > 'Password Settings':
Alternatively, if you have Active Directory, Yellowfin supports LDAP Authentication. This allows a more centralized, granular control over password policies and users.
Run the service as a non-privileged user. It's best practice to create a service user for any running service, which helps mitigate an attacker from spreading through the system with root or admin privileges. If you're running Yellowfin on Linux, you can follow this article to properly set up your service. In Windows, this can be altered through the Services applet. I like to ensure the user doesn't have login or shell permissions.
Database credentials. Set up specific users that Yellowfin will use to access any RDBMS. Using a root account or an over-privileged account only leaves doors open in the event of a breach. In example, if I'm reporting against a MySQL Database, I'll create a user account with SELECT Privileges on the database I'd like to report on. Principle of least privilege here.
Firewalls. Ensure your host-based firewall only allows what's needed to access the services running on the server. This process seems tedious, but once it's done it rarely needs adjustment.
Disable access to information pages of Yellowfin from unauthenticated users. These pages provide system and library information about the Yellowfin instance, among other things. This is possible via this article.
Monitor Tomcat's version and update it. Our upgrade process doesn't update the bundled Tomcat that ships with Yellowfin. We have information on this process available here.
All of these considerations will help to increase your security stance. As always, don"t hesitate to reach out and open a support ticket for any particular concerns. We are here to help!