Log4j vulnerability

Marco F Sabene shared this problem 36 days ago
Resolved

Greetings:

Our system is as follows

**********************************************************

System Information

Application Version: 7.35

Build: 20180515

Java Version: 1.8.0_311

Operating System: Windows Server 201610.0(amd64)

*********************************************************

and we need to get rid of the Log4j vulnerability. How can I safely update from log4j-1.2.17.jar to at least version 2.16.0 leaving the same 7.35 version of Yellowfin?

Respectfully,

Marco F Sabene

Comments (3)

photo
1

Hi Marco,

Thanks for reaching out.

I'd recommend reviewing our community announcement on this vulnerability for mitigation instructions. I would also review other community resources like our best practices guide prior to upgrading, and have a good plan for testing and rollback.

https://community.yellowfinbi.com/knowledge-base/article/​best-practice-for-performing-a-yellowfin-upgrade

https://community.yellowfinbi.com/announcement/notice-critical-vulnerability-in-log4j2

I'll go ahead and mark this problem as Resolved at this time.

Thanks Eric

photo
1

Hi eric,

One of the links you sent returns a 404 error, but regardless, I’ve read the notice for the critical vulnerability, but I still cannot understand if I have YELLOWFIN 7.35 what can I do about upgrading the library to our minimum acceptable version of 2.17 or probably 2.18.

What I mean, can I only go ahead and replace the whole containing folder, or only the .jar file or something else without breaking anything?

We use this version of Yellowfin for HID SAFE Reporting and I don’t want to break this reporting capability.

Any details are appreciated.

Respectfully,

Marco F Sabene

__________________________________________________________________________

Marco F. Sabene

Contractor

202-2526382

3CON – Cube 3.603

From: Yellowfin Support <support@yellowfin.bi>

Sent: Tuesday, July 12, 2022 11:12 AM

To: Sabene, Marco (USAEO) [Contractor] <msabene@usa.doj.gov>

Subject: [EXTERNAL] New Comment in "Log4j vulnerability"

photo
1

Hi Marco,

These instructions may work for version 7.3 but are not tested, as Yellowfin 7.3 has been end-of life for some time, and for continued support and patches you'll need to be on at least version 8. We do offer legacy version and upgrade support via our consulting channels, feel welcome to get in touch with an account manager for that type of assistance.

Thanks,

Eric