LOG4J2 fix for All Tableau products - (Updated 15th December) see description for more

0:00Hey, Sim here. This is probably one of the

0:02most important videos I've made all year.

0:04If you're

0:04using a version of Tableau that is older

0:07than 2020.4 and it's not the most recent

0:10build of 2020.4,

0:12then you need to uninstall it or update it

0:15immediately. So I'm literally rendering

0:18this

0:18video on the Log4j2 vulnerability. I just

0:22literally recorded it thinking that there's

0:25a fix

0:26to the original vulnerability. Now there

0:29actually is and everything you're going to

0:31see in this

0:32video is something I would still recommend

0:34you do because it does reduce your risk

0:36from this particular vulnerability. But

0:39there is yet another issue with this Log4j2

0:42particular patch. Big thanks to Mark Reed,

0:46Tableau's endmaster, for alerting me to

0:49this

0:49right before I published this video. So

0:51what I'm going to do is I'm going to put

0:53this in the

0:54description. I don't have time to re-record

0:56the video so I'm going to put the notes to

0:58that

0:59particular new issue in the description of

1:01this video. And so everything I'm saying in

1:04this video

1:05just watch it but bear in mind that there

1:07might yet be another set of updates after

1:09what I've

1:10recommended doing in this video in order to

1:12be fully up to date and not be vulnerable

1:15to the Log4j2

1:16vulnerabilities that are being discovered

1:19as we speak. So yeah that's just a small

1:22sort of

1:23preamble for this video. Enjoy the rest of

1:25it. In essence the Log4j2 vulnerability

1:28that has sort of

1:28been moving through the technology sphere

1:30at the moment has a vulnerability that

1:32essentially allows

1:33for remote code execution in products that

1:36use this particular technology in Apache.

1:39Now Apache is a piece of open source, I

1:41think it's open source software, I'm going

1:43to call it

1:43software it's probably not the right term,

1:45but essentially it's a particular

1:47technology that's

1:48incorporated in lots of software to allow

1:50it to sort of communicate with the web and

1:52other web-based

1:53technologies. Now in essence because all of

1:56Tableau products use this capability, all

1:59Tableau

1:59products are affected and you might think

2:01this only involves server or Tableau Online

2:03. This

2:04actually involves every single Tableau

2:06product. Tableau Desktop, Tableau Public,

2:09Tableau Reader,

2:11Tableau Online, Tableau Server, Tableau

2:13Prep Builder for Mac, Windows and all of

2:16those Tableau Online

2:17Tableau Desktop, you know everything

2:19everything's affected. You know whether it

2:21's Linux, Windows or

2:22Mac it's affected. This vulnerability is

2:25sort of one of those vulnerabilities that

2:27comes through

2:27in the technology sphere and just you know

2:29shakes everything up. Now it's super

2:31important you update

2:33and the reason the version really matters

2:34here is because if you're using an older

2:36version of 2020.4

2:38then you've kind of been forced into an

2:40unhappy wedge here because any older

2:43version of Tableau

2:45doesn't actually have maintenance anymore.

2:47So this is one of those weird cases where

2:49maintenance ended for 2020.3 and older and

2:53a while back essentially Tableau said they

2:56weren't going to

2:56patch these. If I go to the Tableau website

2:59here, let me go to the desktop builds

3:01because these are

3:02a bit easier to see and I go to 2020.3 and

3:05I go to the most recent release, 15th of

3:08September,

3:09you'll see here that when I go to this page

3:11there's an early end of maintenance notice

3:13here

3:13that essentially says that Tableau is not

3:15going to be updating this going forward.

3:17Why this really

3:18matters is when a vulnerability comes up

3:19because what they're not going to do is

3:21update this version

3:23to meet that vulnerability. So if you go

3:25back to the downloads and you look at 2020.

3:284 you'll see

3:29they actually have patched that specific

3:31version. So if I go back go to 2020.4 and

3:34look at the update

3:35from the 15th of December then you'll see

3:37that the patch that was applied here is for

3:39this particular

3:40vulnerability. Now the thing to bear in

3:43mind here is that you can't just be on 2020

3:46.4 you have to be

3:48on the version released on the 15th of

3:50December with all versions whether it's

3:52Tableau prep if

3:53I go to the latest version here for example

3:56and I look at this you'll see that this was

3:58specifically

3:58fixed in the 15th of December and with

4:01Tableau prep there's another kicker because

4:03if you go back

4:05and they don't actually often update older

4:08versions so for Tableau prep you can't stay

4:11on an older

4:12version and assume to get the latest

4:14features right so if you're on Tableau prep

4:17your only

4:18option really is to update to 21.4.2 that

4:21you can't use an older version it's just it

4:24's just

4:24not an option because those versions have

4:27not been patched to meet this vulnerability

4:30. So the other

4:30complication here is that each software has

4:33a slightly different requirement with

4:35desktop

4:36if I go to let's say 21.3 and I look at the

4:38patches you see they have actually patched

4:41this

4:41to meet the latest releases so because of

4:44the way Tableau prep works essentially

4:46every release is a

4:47patch so therefore you can't sort of expect

4:50them to patch older versions to meet today

4:53's requirements

4:53for this particular vulnerability sort of a

4:55weird thing to have to explain to people.

4:57Tableau version

4:58numbers and patches and updates and

5:00upgrades are just sometimes a complex thing

5:02to explain maybe

5:03that's a video in itself but nonetheless

5:05that's something to be aware of. If you're

5:07using Tableau

5:08prep your only option to fix this

5:10vulnerability is to install the latest

5:12version that's not just

5:14the one that was patched today or 15th of

5:16December depending on when you watch this

5:18specifically 2021.4.1 is the only version

5:23that has this particular patch for this

5:26vulnerability.

5:28Now if I go back, Tableau have this really

5:31nice support guide which you can sort of go

5:33through

5:34essentially the main option here is to

5:35update if you don't want to update let's

5:37say you want to do

5:38something else that's also fine what I'd

5:40encourage you to do is to just look at this

5:43knowledge base

5:44article I'll put a link to it in the

5:45description so you can check it out

5:47yourself there are

5:47different instructions if you don't want to

5:50update your software what I will say about

5:52these is that

5:52I think they're a little hard to maintain

5:55there's a lot of steps 11 steps for Linux,

5:578 steps for Windows, 9 I mean these are not

6:00the kind of steps that most people in

6:02corporate

6:03environments can do without having some

6:05sort of admin access you know on Mac OS

6:08doing suited

6:08commands on a work laptop is going to

6:11require you to have admin rights on your

6:13computer.

6:14On Windows editing things like your

6:16registry and going in and changing

6:18directories specifically

6:20where things are installed and changing the

6:22values of all these things is also going to

6:25require admin

6:25rights I'm pretty certain it's going to

6:28require admin rights so definitely try and

6:31check to see

6:32okay is your organization already doing

6:34this if you're using Tableau on your

6:35personal machine

6:36Tableau public Tableau desktop then you

6:38need to just go ahead and do these things

6:40anyway

6:40by far the easiest thing to do is just to

6:43update Tableau this way you know you've got

6:45the latest

6:46version of Tableau if something else comes

6:47out with this vulnerability you know that

6:49you're up

6:50to date and you can essentially just keep

6:52updating but for everything else you need

6:54to uninstall

6:55older versions and make sure you uninstall

6:57them because you're still exposed if you've

6:59got them

6:59sitting on your laptop you've still got

7:01them sitting there and someone could send

7:03you a

7:03workbook that's targeted for one of these

7:05older versions you could sort of innocently

7:07open it

7:07and make a mistake and now your laptop

7:09becomes compromised and someone can take

7:12control of your

7:12laptop using this vulnerability then from

7:14your laptop get access to your server and

7:16all your data

7:17it's a nightmare you don't want to live in

7:20so update Tableau it's really important and

7:23yeah

7:23I'll catch you in the next video.