cancel
Showing results for 
Search instead for 
Did you mean: 
Allison_Able
12 - Data Integration
12 - Data Integration

Sisense is aware of the recently disclosed Apache Log4j vulnerability (CVE-2021-44228). We are actively working to patch any Sisense customers that are affected by this vulnerability. Click the attachment below for continuous updates on recommended guidance for both Linux & Windows OS.

22 Comments
wes-simplic
7 - Data Storage
7 - Data Storage

Hi Allison, Sisense,

Thanks for the statement.

Is Sisense able to clarify if there have been incidents in the Sisense managed cloud with regards to Log4j / Log4shell?

Best regards,

Wes

Allison_Able
12 - Data Integration
12 - Data Integration

Hi @wes-simplic ! It is so great to meet you. We are asking that any follow up questions to the statement provided above are directed either to your designated CSM or to our Support Team by visiting support.sisense.com to submit a ticket. 

 

 

dgorman
7 - Data Storage
7 - Data Storage

We are running Sisense L2021.11 on Linux.  When I search the box it looks like there is some log4j 2.6 on jvmConnectors and the other log4j are 2.13 and 2.14.  We do not run Cloudflare so I am looking to add the environment variable for LOG4J_FORMAT_MSG_NO_LOOKUPS which should help except for the jvmConnectors . How do I know if I am using jvmConnectors ?

Allison_Able
12 - Data Integration
12 - Data Integration

Hi @dgorman ! Thank you for reaching out. To ensure optimal support in answering your question, please reach out to our Support Team by visiting support.sisense.com to submit a ticket.

DaveO
7 - Data Storage
7 - Data Storage

Hi Allison;

Is there a digitally signed version of the powershell script somewhere?

yy_gt
7 - Data Storage
7 - Data Storage

Hi Allison, we just sent an email to [email protected] as suggested but got an automated reply saying

In order to improve our level of service and better track reported issues, we are no longer able to accept support ticket submissions via email.

Should I ignore this or find out ways to get support for this issue?

kash55
7 - Data Storage
7 - Data Storage

@Allison_Able 

Please note the newly released fix for log4j (2.15) is vulnerable. Another fix was issued in 2.16

See, https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Will the script included in the PDF need to be updated for this?

Anonymous
Not applicable

@kash55 In the article you shared it states...

Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

The Powershell script performs the same fix as 2.16 essentially, as it is removing the JNDI classes from the libraries entirely in components where log4j is utilized, as Sisense doesn't rely on them. 

Anonymous
Not applicable

@DaveO I am sorry but we don't seem to have a signed version that I can reference at the moment. Do you need help in running it unsigned or maybe details on the steps it takes? 

 

DaveO
7 - Data Storage
7 - Data Storage

We'll figure it out. I can run it fine in our test environment - was looking more at production. But I'll get with our ops team and figure it out. Thanks.

Anonymous
Not applicable

@dgorman jvmConnectors is a core component for native Connectors (vs generic ODBC/JDBC/OLE/etc) so likely a good chance you are using it. I checked with the Support team and they passed this along if you are not using a WAF...If you need additional help with this you can open a ticket here: https://support.sisense.com/kb/en/contact

 
For Linux version L2021.0 and up
Run commands below and restart build, query and management pods afterward.
 
curl --request POST -H 'Content-Type: application/json' http://$(kubectl get pods -n sisense -o wide | grep -E configuration-.*`hostname`| awk '{print $6;exit}'):3030/configurations/service/query --data '{"JavaOptions.value":"-Dlog4j2.formatMsgNoLookups=true","JavaOptions.setbyuser":true}'
curl --request POST -H 'Content-Type: application/json' http://$(kubectl get pods -n sisense -o wide | grep -E configuration-.*`hostname`| awk '{print $6;exit}'):3030/configurations/service/build --data '{"JavaOptions.value":"-Dlog4j2.formatMsgNoLookups=true","JavaOptions.setbyuser":true}'
curl --request POST -H 'Content-Type: application/json' http://$(kubectl get pods -n sisense -o wide | grep -E configuration-.*`hostname`| awk '{print $6;exit}'):3030/configurations/service/management --data '{"JavaOptions.value":"-Dlog4j2.formatMsgNoLookups=true","JavaOptions.setbyuser":true}'
curl --request POST -H 'Content-Type: application/json' http://$(kubectl get pods -n sisense -o wide | grep -E configuration-.*`hostname`| awk '{print $6;exit}'):3030/configurations/service/build-connector --data '{"JavaOptions.value":"-XX:+UseParallelGC -Dlog4j2.formatMsgNoLookups=true","JavaOptions.setbyuser":true}'
 

 

 

Anonymous
Not applicable

@yy_gt  Our apologies for sharing incorrect details, we will get that updated, but that is correct. You can open a Support ticket via: https://support.sisense.com/kb/en/contact

Allison_Able
12 - Data Integration
12 - Data Integration

Hello Sisense Community! Please note that we will be adding continuous updates to the attached pdf. If you have any questions, it is recommended that you reach out to your designated CSM or visit support.sisense.com to submit a support ticket. 

tylewis29
7 - Data Storage
7 - Data Storage

The documentation in the .pdf file seems fairly comprehensive for Windows deployments. Is there similar documentation available for Linux based deployments? 

Anonymous
Not applicable

@tylewis29 I'll pass the word on that this was requested. The linux patch is more straightforward being command line config file updates using awk to set Dlog4j2.formatMsgNoLookups=true in relative pods, which disables the vulnerable JDNI lookup functionality.

Logan_BaileyGP
7 - Data Storage
7 - Data Storage

Hi Allison,

We currently have Sisense (Version: L2021.11.0.118) deployed on Google Kubernetes Engine (GKE).  Will there be any patch/instruction available for the vulnerability for our set up?

Allison_Able
12 - Data Integration
12 - Data Integration

 

Please note that there has been a new update added to the .pdf above.  

@Logan_BaileyGP - It is recommended that you review the most recent update shared in the .pdf above and reach out to support [support.sisense.com] with any additional questions. 

 

davidlin
8 - Cloud Apps
8 - Cloud Apps

Is there any instruction to apply patch for Linux2021.11 with Kubespray deployment? 

Anonymous
Not applicable

@davidlin @Logan_BaileyGP 

We do not have any specific instructions for GKE or Kubespray upgrade, they follow the standard instructions for deployments on Linux here: Upgrading Sisense on Linux and then referencing your correct current version of your config.yaml (eg, cluster_config.yaml, cloud_config.yaml, etc) and modifying it with the update parameter.

With any cloud deployments, you should always do a backup and run your upgrade against your non-prod environment first in addition to using snapshots for easily rollback where available. 

Backing up and Restoring Sisense 

Once upgraded in your non-prod environment, you should do a QA check of the following:

  1. If you have implemented SSL, access the Sisense server from an external network, using SSL, and ensure the dashboards load as expected.
  2. If you have implemented SSO, log in to Sisense using SSO, and make sure that a user can see all of their dashboards.
  3. If you use any plugins or add-ons, load dashboards using plugins, and make sure they are loaded correctly.
  4. If you have rebranded Sisense, check the following:
    • Rebranded emails are sent and are displayed as expected
    • Homepage and logo are displayed as expected
    • Dashboards that are embedded into your site and application are working as expected
  5. If you have implemented active directory, log in to Sisense using an account from active directory and make sure your user can log in and see all of their dashboards.
  6. Create a new ElastiCube and import a data source (Excel or CSV file, or any other).
  7. If you have dashboards or widgets using custom scripts, load the dashboard or the widget to make sure they’re loaded correctly.
  8. Run a build of an existing ElastiCube successfully.
  9. Create a new dashboard, and add a Table or Pivot widget. Ensure the widget loads data.
  10. If you collected information about your environment, including how many ElastiCubes, dashboards, users, and groups you have, verify that the number of assets in the upgraded deployment is correct.
  11. Export a widget to Excel. Ensure the file is downloaded and has the relevant data.
  12. Export a dashboard to PDF. Ensure the PDF is created and opened successfully.
  13. Send a PDF report of a dashboard through Sisense and ensure it’s received.
  14. Shut down one of the query nodes and verify that dashboards return the correct result.
  15. Verify that ElastiCube distribution works and that the Last Build time in the Data Source section of the Admin page changes.

If you run into any issues on the non-prod upgrade, do not proceed and feel free to reach out to our Support team for assistance. If your upgrade goes fine and the above QA check went well, follow the same steps for your production deployment. 

Patrick_Drew
7 - Data Storage
7 - Data Storage

@Anonymous 

1. The Windows patch script doesn't scan C:\ProgramData\Sisense, which has jars with a dependency on the JndiLookup class, can you please let me know why?

Version 7.1

C:\ProgramData\Sisense\DataConnectors\GoogleSheets\Sisense.GoogleSheets.JVM.1.0.16423.96.0.0\com.sisense.connectors.GoogleSpreadsheetsConnector.jar

Version W20.21.4.10058

C:\ProgramData\Sisense\DataConnectors\Athena\Sisense.Athena.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Athena.jar
C:\ProgramData\Sisense\DataConnectors\GenericJDBC\Sisense.GenericJDBC.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.GenericJDBC.jar
C:\ProgramData\Sisense\DataConnectors\GoogleAds\Sisense.GoogleAds.JVM.1.0.16423.10001.0.0\com.sisense.connectors.GoogleAds.jar
C:\ProgramData\Sisense\DataConnectors\GoogleAnalytics\Sisense.GoogleAnalytics.JVM.1.0.16423.10001.0.0\com.sisense.connectors.GoogleAnalytics.jar
C:\ProgramData\Sisense\DataConnectors\GoogleBigQuery\Sisense.Google BigQuery.JVM.1.0.16423.20.21.4.10003.0.0\com.sisense.connectors.GoogleBigQuery.jar
C:\ProgramData\Sisense\DataConnectors\GoogleSheets\Sisense.GoogleSheets.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.GoogleSpreadsheetsConnector.jar
C:\ProgramData\Sisense\DataConnectors\MemSql\Sisense.MemSQL.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Memsql.jar
C:\ProgramData\Sisense\DataConnectors\MongoDB\Sisense.MongoDB.JVM.1.0.16423.20.21.4.10003.0.0\com.sisense.connectors.Mongodb.jar
C:\ProgramData\Sisense\DataConnectors\MsSql\Sisense.MsSql.JVM.1.0.16423.10002.0.0\com.sisense.connectors.MsSql.jar
C:\ProgramData\Sisense\DataConnectors\Mysql\Sisense.MySQL.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.MySql.jar
C:\ProgramData\Sisense\DataConnectors\Oracle\Sisense.Oracle.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.OracleJdbc.jar
C:\ProgramData\Sisense\DataConnectors\Postgresql\Sisense.Postgresql.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Postgresql.jar
C:\ProgramData\Sisense\DataConnectors\Redshift\Sisense.Redshift.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Redshift.jar
C:\ProgramData\Sisense\DataConnectors\Salesforce\Sisense.Salesforce.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Salesforce.jar
C:\ProgramData\Sisense\DataConnectors\Snowflake\Sisense.Snowflake.JVM.1.0.16423.20.21.4.10001.0.0\com.sisense.connectors.Snowflake.jar


2. Sisense has dependencies on Log4J 1 via Zookeeper and Logstash, which is end of life also has a CVE. What steps is Sisense taking to mitigate this vulnerability?

Anonymous
Not applicable

Hello Sisense Community,

We are providing an update to this statement and associated files as we continue remediation efforts surrounding this vulnerability. Continuous updates are provided via the attached file on the original thread post located here: Sisense log4j vulnerability updates 

Update Summary:

  • Updated statement on additional log4j vulnerabilities and remediation paths
  • Additional Linux versions patched/released
  • Windows Patch has been revised to include additional validation and directory scanning
  • Windows Patch instructions have been moved to a separate file and instructions updated to reflect patch revision

If you have any questions, it is recommended that you reach out to your designated CSM or visit support.sisense.com to submit a support ticket. 

 

Anonymous
Not applicable

@Patrick_Drew 

Happy New Year and apologies for missing your comment. The latest Windows patch revision from 12/23 should address scanning for those directories. If you rerun the revised patch and have any issues please let our Support Team know. 

For the Log4j 1 dependancies I'll inquire with our team internally for a definitive answer and share here as soon as I can. 

 

 

Contributors
Community Toolbox

Recommended quick links to assist you in optimizing your community experience:

Share this page:

Developers Group:

Product Feedback Forum:

Need additional support?:

Submit a Support Request

The Legal Stuff

Have a question about the Sisense Community?

Email [email protected]

Share this page