# Apache Log4J2 explained for Tableau users

> This is content from just-tim, the data-and-analytics channel by Tim Ngwena (formerly 'Tableau Tim'). Tim has 12+ years of hands-on BI experience and covers Tableau most of all, plus Power BI, Looker, Hex, SQL and data modelling, the analytics industry, and the craft of doing the job — always tool-agnostic and honest about the trade-offs.

- **Author:** Tim Ngwena (just-tim, https://just-tim.com/about)
- **Published:** 2021-12-22
- **Format:** Video · 14 min watch · transcript available
- **Topics:** Industry trends, Tool strategy
- **Tools:** Tableau (server)
- **Canonical:** https://just-tim.com/posts/apache-log4j2-explained-for-tableau-users
- **Watch:** https://www.youtube.com/watch?v=e3V_bjow_tk

I break down what the Apache Log4j2 vulnerability actually is and why it matters to Tableau users. I explain open source logging libraries, the JNDI flaw behind remote code execution, how the CVE naming system works, and the broader blind spot we all have around open source dependencies in the tools we use daily.

## Key takeaways

- Log4j is an open source Java logging library, bundled via Apache, used by Tableau Server and Desktop to write diagnostic logs — so the vulnerability affects every version of Tableau.
- The flaw stems from Java's JNDI (Java Naming and Directory Interface) feature, allowing remote code execution (RCE) without needing access to your machine, similar in spirit to a SQL injection.
- CVE identifiers like CVE-2021-44228 decode simply: CVE = Common Vulnerabilities and Exposures, 2021 = the year, and the final number is just the record code, all tracked in the National Vulnerability Database.
- The CVSS base score rates severity out of 10, and this vulnerability scored a maximum 10/10; expect multiple patches as new vulnerabilities are found in an ongoing arms race with attackers.
- Organisations should urgently patch every affected application, and the incident exposes a wider blind spot: most of us don't know which open source dependencies our tools rely on.

## Chapters

- 0:36 What Log4j and Java libraries are
- 1:24 Why logging matters in software
- 2:04 Apache and the Log4j2 version
- 4:07 The JNDI vulnerability explained
- 5:20 Decoding CVE numbers and CVSS scores
- 7:31 What happens next: the arms race
- 9:09 Tableau, patching pain and Tableau Online
- 10:45 The open source dependency blind spot

Watch the full video, read the transcript and use chapter deep-links on the page: https://just-tim.com/posts/apache-log4j2-explained-for-tableau-users

---
just-tim — Data and analytics, with a point of view. · https://www.youtube.com/channel/UC7HYxRWmaNlJux-X7rNLZyw · https://twitter.com/TableauTim · https://www.linkedin.com/in/timngwena