Log4j vulnerability
Resolved
Greetings:
Our system is as follows
**********************************************************
System Information
Application Version: 7.35
Build: 20180515
Java Version: 1.8.0_311
Operating System: Windows Server 201610.0(amd64)
*********************************************************
and we need to get rid of the Log4j vulnerability. How can I safely update from log4j-1.2.17.jar to at least version 2.16.0 leaving the same 7.35 version of Yellowfin?
Respectfully,
Marco F Sabene
The same problem 
Hi Marco,
Thanks for reaching out.
I'd recommend reviewing our community announcement on this vulnerability for mitigation instructions. I would also review other community resources like our best practices guide prior to upgrading, and have a good plan for testing and rollback.
https://community.yellowfinbi.com/knowledge-base/article/best-practice-for-performing-a-yellowfin-upgrade
https://community.yellowfinbi.com/announcement/notice-critical-vulnerability-in-log4j2
I'll go ahead and mark this problem as Resolved at this time.
Thanks Eric
Hi Marco,
Thanks for reaching out.
I'd recommend reviewing our community announcement on this vulnerability for mitigation instructions. I would also review other community resources like our best practices guide prior to upgrading, and have a good plan for testing and rollback.
https://community.yellowfinbi.com/knowledge-base/article/best-practice-for-performing-a-yellowfin-upgrade
https://community.yellowfinbi.com/announcement/notice-critical-vulnerability-in-log4j2
I'll go ahead and mark this problem as Resolved at this time.
Thanks Eric
Hi eric,
One of the links you sent returns a 404 error, but regardless, I’ve read the notice for the critical vulnerability, but I still cannot understand if I have YELLOWFIN 7.35 what can I do about upgrading the library to our minimum acceptable version of 2.17 or probably 2.18.
What I mean, can I only go ahead and replace the whole containing folder, or only the .jar file or something else without breaking anything?
We use this version of Yellowfin for HID SAFE Reporting and I don’t want to break this reporting capability.
Any details are appreciated.
Respectfully,
Marco F Sabene
__________________________________________________________________________
Marco F. Sabene
Contractor
202-2526382
3CON – Cube 3.603
From: Yellowfin Support <support@yellowfin.bi>
Sent: Tuesday, July 12, 2022 11:12 AM
To: Sabene, Marco (USAEO) [Contractor] <msabene@usa.doj.gov>
Subject: [EXTERNAL] New Comment in "Log4j vulnerability"
Hi eric,
One of the links you sent returns a 404 error, but regardless, I’ve read the notice for the critical vulnerability, but I still cannot understand if I have YELLOWFIN 7.35 what can I do about upgrading the library to our minimum acceptable version of 2.17 or probably 2.18.
What I mean, can I only go ahead and replace the whole containing folder, or only the .jar file or something else without breaking anything?
We use this version of Yellowfin for HID SAFE Reporting and I don’t want to break this reporting capability.
Any details are appreciated.
Respectfully,
Marco F Sabene
__________________________________________________________________________
Marco F. Sabene
Contractor
202-2526382
3CON – Cube 3.603
From: Yellowfin Support <support@yellowfin.bi>
Sent: Tuesday, July 12, 2022 11:12 AM
To: Sabene, Marco (USAEO) [Contractor] <msabene@usa.doj.gov>
Subject: [EXTERNAL] New Comment in "Log4j vulnerability"
Hi Marco,
These instructions may work for version 7.3 but are not tested, as Yellowfin 7.3 has been end-of life for some time, and for continued support and patches you'll need to be on at least version 8. We do offer legacy version and upgrade support via our consulting channels, feel welcome to get in touch with an account manager for that type of assistance.
Thanks,
Eric
Hi Marco,
These instructions may work for version 7.3 but are not tested, as Yellowfin 7.3 has been end-of life for some time, and for continued support and patches you'll need to be on at least version 8. We do offer legacy version and upgrade support via our consulting channels, feel welcome to get in touch with an account manager for that type of assistance.
Thanks,
Eric
Replies have been locked on this page!