Security researchers have discovered a vulnerability with Spring, which may affect some Yellowfin deployments.
SpringShell (Spring4Shell) CVE 2022-22965 is a critical vulnerability that could potentially lead to remote code execution on an affected Yellowfin server.
You can read more information on the vulnerability here: https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Another similar Spring vulnerability, CVE-2022-22963, does not affect Yellowfin. This affects SpringCloud dependencies which are not used within Yellowfin software.
You can read more information on this vulnerability here: https://nvd.nist.gov/vuln/detail/CVE-2022-22963
SpringShell affected Yellowfin versions:
- Yellowfin Version 9.0 - 9.7.1
- Yellowfin Version 8.0.4 - 8.0.11
Note: These versions are only vulnerable when running Yellowfin with Java 9 or greater.
Remediation option 1: Use a patched YF
Yellowfin has released patched versions of 8.0.11 (published as 8.0.11.1) and 9.7.1 (published as 9.7.1.1)that are not vulnerable to the issue. You can get these releases from the builds page here.
Remediation option 2: Upgrade Yellowfin's Spring Dependencies
- Download spring-5.3.18.zip from https://ftp.yellowfin.bi/f/9cfd967ef889adce
- Stop Yellowfin Server
- Remove the vulnerable Spring dependencies from the Yellowfin/WEB-INF/lib folder (libraries that match spring-*.jar)
- Unzip the downloaded file, copy the new Spring dependencies into the Yellowfin/WEB-INF/lib folder
- Restart Yellowfin Server.
Remediation option 3: Upgrade Apache Tomcat
- Upgrade to Tomcat 9.0.62 if you’re currently on a version of Tomcat 9
- Upgrade to Tomcat 8.5.78 if you’re currently on a version of Tomcat 8.5
- See https://community.yellowfinbi.com/knowledge-base/article/how-to-upgrade-tomcat for the upgrade steps
Remediation option 4: Use Java 8
Note: Using Java 8 may prevent plugins or JDBC drivers that are compiled against Java 9 or greater from working.
- Stop Yellowfin Server
- Install the latest release of Java 8 on your operating system
- Update the JAVA_HOME variable:
- For (linux/macOS/unix) deployments. JAVA_HOME is set under Yellowfin/appserver/bin/catalina.sh
- For Windows deployments please see the following article.
- Restart Yellowfin Server.
For any questions, or concerns on the above, please reach out to the YF support team via a private ticket.
Regards,
The Yellowfin Support Team