Sisense is aware of the recently disclosed Apache Log4j vulnerability (CVE-2021-44228). We are actively working to patch any Sisense customers that are affected by this vulnerability. Click the attachment below for continuous updates on recommended guidance for both Linux & Windows OS.
Hi Allison, Sisense,
Thanks for the statement.
Is Sisense able to clarify if there have been incidents in the Sisense managed cloud with regards to Log4j / Log4shell?
Best regards,
Wes
We are running Sisense L2021.11 on Linux. When I search the box it looks like there is some log4j 2.6 on jvmConnectors and the other log4j are 2.13 and 2.14. We do not run Cloudflare so I am looking to add the environment variable for LOG4J_FORMAT_MSG_NO_LOOKUPS which should help except for the jvmConnectors . How do I know if I am using jvmConnectors ?
Hello Sisense Community,
We are providing an update to this statement and associated files as we continue remediation efforts surrounding this vulnerability. Continuous updates are provided via the attached file on the original thread post located here: Sisense log4j vulnerability updates
Update Summary:
If you have any questions, it is recommended that you reach out to your designated CSM or visit support.sisense.com to submit a support ticket.
Hi wes-simplic ! It is so great to meet you. We are asking that any follow up questions to the statement provided above are directed either to your designated CSM or to our Support Team by visiting support.sisense.com to submit a ticket.
Hi dgorman ! Thank you for reaching out. To ensure optimal support in answering your question, please reach out to our Support Team by visiting support.sisense.com to submit a ticket.
Hi Allison;
Is there a digitally signed version of the powershell script somewhere?
Hi Allison, we just sent an email to [email protected] as suggested but got an automated reply saying
In order to improve our level of service and better track reported issues, we are no longer able to accept support ticket submissions via email.
Should I ignore this or find out ways to get support for this issue?
Please note the newly released fix for log4j (2.15) is vulnerable. Another fix was issued in 2.16
See, https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Will the script included in the PDF need to be updated for this?
kash55 In the article you shared it states...
Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
The Powershell script performs the same fix as 2.16 essentially, as it is removing the JNDI classes from the libraries entirely in components where log4j is utilized, as Sisense doesn't rely on them.
DaveO I am sorry but we don't seem to have a signed version that I can reference at the moment. Do you need help in running it unsigned or maybe details on the steps it takes?
