Apache Log4J2 explained for Tableau users

0:00When I first heard about the term log4j,

0:01the first thing I did was Google it. I had

0:03no clue what it

0:04was. So I googled it. And of course, the

0:06thing that came up were all the headlines,

0:08the worst

0:09time to Google for something like that.

0:11Nonetheless, we're about a week after the

0:13incident,

0:14and everything is sort of being packed,

0:16things are being actively fixed as we speak

0:18. And so I thought

0:18I'd do a little bit of a deep dive into

0:21actually understanding what log4j actually

0:24is, and what is

0:25open source software doing inside of Table

0:27au. And more importantly, this has maybe

0:29highlighted a

0:30blind spot I think I've personally had with

0:33open source software being used in tools

0:35that we use

0:36every single day. Let's get stuck in log4j

0:39is an open source utility used for logging

0:42in a Java

0:42environment. Okay, let's just break that

0:44down. Because for most people that made

0:46zero sense.

0:47Let's work backwards. Java is a programming

0:49language used to develop software. Now,

0:52when you develop software in a community of

0:54people, essentially, you find that the same

0:57set

0:57of developers are doing the same sort of

0:59things. Let's say I wanted to make a music

1:00app, every

1:02single music app has to play music. So

1:04instead of hundreds of developers writing

1:06the code to play

1:07music, I might decide to write that code in

1:09such a way that other people can use it a

1:12bit like a

1:12template. Let's just call those libraries

1:14in this instance. And so in this particular

1:17case, log4j is

1:18a library that allows other programmers to

1:21take advantage of the logging capabilities

1:23in Java.

1:24Now, writing logs is pretty normal in all

1:26software, essentially, when a developer

1:28writes a program,

1:30sometimes they need to be able to look at

1:31issues in their software. And so what they

1:34do is they

1:34leave themselves opportunities to write

1:37verbose text to a particular file, so that

1:39if something

1:40goes wrong, they can look at those files

1:42and figure out what's going wrong. Tableau

1:44server

1:44does this to create logs for admin so they

1:46can understand what's going wrong with

1:48their server,

1:49Tableau desktop, if you've ever had to get

1:51in touch with support, they sometimes ask

1:53you to

1:53create logs, and then send it into them so

1:55they can look at a very granular level,

1:58what is going

1:58wrong and what's happening in this

2:00particular case, log4j is just helping with

2:02this process.

2:03And it's specifically a part of Apache.

2:06Well, some of you probably now asking what

2:08the hell is Apache

2:09got to do with it, I thought we were

2:11talking about log4j. And this is about

2:13Tableau. So why have we

2:14got a third piece of software in this mix?

2:16Well, Apache is an open source piece of

2:18software that's

2:19typically integrated into lots of

2:21applications to help them do various things

2:24, especially around

2:25web communications. But in essence, Apache

2:28log4j is actually where this library comes

2:31from. And the

2:32issue here is that Apache itself is written

2:34in Java and Java is of course, where this

2:36issue

2:37exists. Now, if you look around the

2:39documentation, you'll see that Tableau

2:41refer to this as Apache

2:42log4j2. So I've explained what log4j is log

2:464j2 is just version two of log4j.

2:49Essentially, this was a

2:50new version of log4j that was introduced to

2:52make things a little bit easier. Think of

2:54it as like

2:56the new version of an iPhone, essentially,

2:57there's version one, then there's version

2:59two, that's all

3:00it really means. The reason that too is

3:01important is because these vulnerabilities

3:03actually start

3:04and in version 2.15. So the full sort of

3:08version that this issue originated from was

3:11log4j2.15.

3:14And this is actually where the

3:15vulnerabilities started from. And that's

3:17correct, I'm saying

3:18vulnerabilities because there wasn't just

3:20one. Essentially, typically, when these

3:22vulnerabilities

3:23are found, they're very quickly patched,

3:25but then it becomes an arms race between

3:28the people who

3:28develop the software and the code and the

3:30library, versus hackers who are now out

3:33there finding new

3:34vulnerabilities. And as these are found,

3:36they're also then quickly fixed. So there

3:38are multiple

3:39vulnerabilities. And I wouldn't expect

3:41these to be the last set of vulnerabilities

3:43that you find

3:44as they patch this. And as the world turns

3:46attention to this particular library, poor

3:49people

3:49who work on this library, and more and more

3:51vulnerabilities will inevitably be found to

3:53do

3:53various things. And they'll be coming out

3:55with patches as those come out. So that's

3:57something

3:58to expect. Okay, so now we understand what

4:00log4j is, we understand why Tableau is

4:02using it. The

4:03next thing to understand is, what is this

4:05vulnerability? And why is it so serious?

4:07Well,

4:07in essence, the vulnerability originates

4:09from a particular capability in Java called

4:12a JNDI,

4:13have to read the acronym here, it stands

4:15for Java Naming and Directory Interface. In

4:18a nutshell,

4:19it turns out this feature was added to make

4:20working with logs a little bit easier. But

4:23unfortunately, it left a massive gaping

4:25hole in terms of vulnerability, essentially

4:27, someone can

4:28run remote code execution, this is

4:30nicknamed RCE on your machine without even

4:34having to have access

4:35to your machine because of the way this

4:37feature works with logs. It's very similar

4:39to a SQL

4:40injection, which you might already be

4:41familiar with if you're a web developer, or

4:43you've worked

4:44with databases in the past. Now the fixes

4:46are out there. So I'll urge you to please,

4:48please just

4:49take this seriously. This affects every

4:51version of Tableau. And it doesn't just

4:53affect Tableau,

4:54it affects any piece of software that's

4:56using this particular library. And the

4:59problem is,

5:00is this library in itself is part of other

5:02tools. And so you might not even think the

5:05application

5:05is using this, but you just have to go and

5:08check and make sure look at all the advice,

5:10research,

5:11all the applications on your machine on

5:13your servers, and make sure that they've

5:15patched

5:15this particular vulnerability. Check out my

5:17video on that, that I released just a few

5:19days ago. Now

5:20we're not done yet, because there's a whole

5:22bunch of numbers and names and nicknames

5:24that are thrown

5:24around. Tableau themselves keep referring

5:27to this particular naming structure for

5:29these

5:29vulnerabilities, which goes a little

5:30something like this. I have to read this

5:32out again,

5:32because there's just so many of them. CVE-

5:352021-44228. That's one of these

5:38vulnerabilities.

5:39And the next one is CVE-2021-45046. What

5:43are all these numbers? What do they all

5:45mean? Well,

5:46I had a little bit of a digging around and

5:48I found the answer. It sounds complex, more

5:50complex,

5:51and it ought to be. Let's break this down

5:53in very simple steps. The way to think of

5:55this is

5:55they're essentially identified in a

5:57database. It's like an order ID in super

5:59store sales.

6:00CVE stands for common vulnerabilities and

6:03exposures. That's essentially all it stands

6:06for.

6:06The 2021 simply stands for the year. So

6:09that's 2021, the year we're currently in.

6:12And the final

6:13number, the 44228, is essentially just a

6:16code. It just refers to this particular

6:18vulnerability.

6:19And so if you go and click on the links

6:20that Tableau have linked to, it takes you

6:22to a page

6:23which tells you more about this

6:25vulnerability, its risk factors, its score,

6:28and other factors

6:28that you should be aware of. All this

6:30information is stored at the National V

6:32ulnerability Database.

6:33I'll have a link to that in the description

6:35. In there, they have a list of

6:36vulnerabilities

6:37that have been recognized. Now, this looks

6:39like an American website, but I'm sure

6:41these

6:41vulnerabilities are shared worldwide. So

6:43whatever is going on here is probably

6:45watched worldwide

6:46because software is developed in one place,

6:48but it applies to everyone equally. Now,

6:50there's

6:51something called the base score, which is

6:53also known as a CVS score. This stands for

6:55common

6:55vulnerability scoring system. And the

6:58scoring here is essentially just telling

7:00you how serious

7:01this risk is. And this particular

7:03vulnerability got a 10 out of 10. That

7:05essentially means

7:06in terms of its impact and its severity, it

7:09scored full marks, which is not a good

7:11thing.

7:11If you head to the website again and go to

7:13the specific vulnerability and click on the

7:15score,

7:16it actually breaks down all the individual

7:18components. And if you're a nerd like me,

7:21hover over those individual score items,

7:23and it actually tells you what risk factors

7:25are involved,

7:26which each of those contributing factors

7:27for the overall score. There's actually a

7:29formula

7:30that drives that. Okay, so now that we know

7:32what it is, we know the impact, and we know

7:34the

7:35severity. What happens next? Well, let me

7:37break this down into three perspectives.

7:40The first one

7:40is people like you and me and the companies

7:43we work for. In essence, we're now in an

7:45arms race.

7:46We're in this arms race to fix and patch

7:48this problem. Because when an exploit like

7:51this goes

7:51worldwide, essentially, there are people

7:53out there, they're called black hat hackers

7:55, black hat hackers

7:56are the bad kind of hackers are out there

7:58trying to make the most of this exploit. So

8:01it's absolutely

8:02vital that organizations people take

8:04advantage of the resources being put out

8:06there to make sure you

8:08patch this issue. Companies like CloudFlare

8:10are trying to do it at a network level,

8:12your system

8:13admins internally and your organizations

8:15are doing it on premise with all the

8:17internal software,

8:18so that someone doesn't take advantage of

8:20this exploit. But in essence, this is an

8:22arms race.

8:23But the thing to note here is that this

8:25exploit has existed since 2013, when this

8:28feature was

8:28first introduced into this library. So the

8:30other thing you got to ask yourself is, how

8:33many times

8:33has this exploit been taken advantage of

8:36before actually hit the mainstream media?

8:39Did the person

8:39who found out about it first take advantage

8:42of that exploit before they shared it with

8:44the world

8:45and have other people figured it out and

8:46not just said anything? These are the kind

8:48of vulnerabilities

8:49that really send shockwaves and make you

8:51realize that working with open source

8:53software is not

8:54necessarily dangerous. I think it's a

8:56perfectly fine practice. But we really need

8:58to start taking

8:59and making sure we're aware what's in our

9:01software, and what's actually being done to

9:03support those

9:04projects to make sure that they're not

9:06exposed to vulnerabilities like this

9:08particular one.

9:09Now as a customer of Tabo, this is probably

9:10the first time where an issue with open

9:13source software

9:13sort of reared its ugly head inside of our

9:16community in such a big way that we've all

9:18noticed.

9:19We don't know how many times in the past

9:20vulnerabilities have been found that just

9:22haven't

9:23made the mainstream media, we just have to

9:25assume that that must have happened at

9:26least once. For

9:27everything you hear in the media, there's

9:29always a story that goes unreported, and

9:30that's just

9:31something we all know. And so you have to

9:33ask yourself, how do we know about these

9:36vulnerabilities

9:37when they are fixed? Is there a record of

9:39these fixes as they're done? So we're

9:40actually aware

9:41that Tableau is on top of this, I'm sure

9:43the Tableau security team do keep a track

9:45of this.

9:45And lastly, I bet you that Tableau Online

9:48is looking sort of attractive to some

9:50server admins

9:51right now, because server admins were kind

9:54of forced into a really dark corner. I say

9:56dark,

9:56not in a bad way, but dark in a very sort

9:59of stressful way. Because just a few months

10:01ago,

10:02we had the end of support for certain

10:04versions of Tableau. And those versions of

10:07Tableau were

10:08not patched in this recent fix for this

10:10particular issue. So a lot of people have

10:13gone through sort

10:14of jumped hoops to get their upgrade cycles

10:16done in time. But however, that's sort of

10:19been a kicker,

10:20because then they've now had to do security

10:22patches almost immediately after. And for

10:24some

10:24organizations, upgrades are one thing, but

10:27even just doing a small patch over a

10:28weekend is not a

10:29straightforward thing. So a lot of

10:31organizations just took their server down.

10:34And they've been

10:35without service, because they're obviously

10:37aware of this vulnerability, they don't

10:38want to be

10:39exposed to it, especially if you're working

10:41in a really large company that would be an

10:42easy target

10:43for a hack like this. Now, as I've said

10:45before, the practice of using open source

10:47software is not

10:48a bad one. If you open up Spotify and go

10:50look at the third party list under the help

10:52button,

10:53you'll see that they use a bunch of

10:54applications that are used in Spotify and

10:56Tableau, they're

10:57completely different applications. But I'm

10:59just highlighting that this practice isn't

11:01something

11:01that's rare, it's actually quite common.

11:03The downside is when large companies are

11:05using it

11:05and taking advantage of open source

11:07software, but not putting something back

11:09into it to make them

11:10safer and secure. So what I really hope

11:12that comes out of all of this is two things

11:14. Number one,

11:15companies like Tableau really step up and

11:17sort of step up to the moral responsibility

11:19of helping out

11:20these libraries that they do depend on that

11:22run the sort of the core of their products,

11:24and make sure that those projects are res

11:26ourced to stay safe, stay secure, and make

11:29sure they're

11:29well maintained. If no one maintains them,

11:31they become a vulnerability vector. And if

11:33they become

11:33a vulnerability vector, then we're all

11:35doing what we've been doing for the last

11:37two weeks,

11:37it's not ideal. The second thing, which I'm

11:40not too familiar with, and I think is a

11:42huge blind spot

11:42that I've had personally, maybe you'll

11:44share in this emotion with me. And that is,

11:47I actually

11:47don't have a good understanding of what

11:49open source libraries and technologies are

11:51being used

11:52in Tableau. Because the thing you have to

11:54understand is that each and every one of

11:56those

11:56open source libraries in themselves also

11:59have dependencies that are based on other

12:01things. And

12:02so when you build software and you use a

12:05library like Apache, and then Apache itself

12:08is using

12:08another library called log4j, and log4j is

12:11written in Java, you have this incredible

12:14matrix of

12:15dependencies. And you need to really

12:17understand that for every single dependency

12:19in your software.

12:21And although Tableau build Tableau, and we

12:23expect them to do that really well, I don't

12:25think I've

12:25ever really questioned Tableau on what are

12:28the open source software they're using? And

12:30how do

12:30we know that they're keeping track of all

12:32the vulnerabilities that are available in

12:34that. Now,

12:35it's obviously Tableau security team job to

12:37do this. And if they advertise these

12:39vulnerabilities,

12:40that doesn't help them either. But what I

12:42would love to do is just have a list of

12:44open source

12:44dependencies that Tableau uses in a very

12:47sort of transparent and neutral way, one

12:49that celebrates

12:50those particular capabilities, but also one

12:53that lets me know what open source

12:55technologies I need

12:55to be tracking to make sure that I include

12:58them in my sort of threat matrix of issues

13:00that are going

13:00on with security, if that makes sense. So I

13:03've actually asked the question on the Table

13:05au forums,

13:05I put a link to it in the comments below.

13:07So go ahead, go to that question. I'd

13:09really love

13:09to discuss it take place in the tablet

13:11forums rather than here. And yeah,

13:13hopefully this video

13:14has been useful to try and explain what log

13:164j is. Check out my previous video to find

13:19out what to do

13:20to fix log4j in the context of Tableau. And

13:22lastly, if you found this video useful,

13:24then

13:25do the nice thing, hit the like button, hit

13:27subscribe, one of those two would be great.

13:29If you don't do either of that your

13:31viewership is more than appreciated. Thanks

13:33for watching.

13:34I'll catch you in the next video.