Alteryx Promote Knowledge Base

Definitive answers from Promote experts.

Alteryx Promote - Apache Log4j2 vulnerability

kchen
Alteryx
Alteryx
Created

Issue

Recently found vulnerabilities allow for remote code execution, Alteryx has identified security vulnerabilities in our Alteryx Promote product.  
 

Environment Details

  • Alteryx Promote

Technical Impact:

The following two Promote services have been identified as at risk: logstash and elasticsearch.

Elasticsearch:
  • Promote versions <= 2019.1 and >= 2018.3
    • Utilize elasticsearch 6.2.4 and Java Development Kit (JDK) version 8u161. This is susceptible to Information Leakage via DNS and Denial of Service (DoS) attack. Due to the existence of Java Security Manager, the JDK is not vulnerable to Remote Code Execution (RCE).
  • Promote versions < 2018.3
    • Utilize elasticsearch 5.6.4 and is susceptible to RCE, DoS attack, and Information Leakage
Logstash:
  • Promote versions >= 2019.2
    • Utilize logstash 6.6.2 and JDK 8u201. According to official guidance, JDKs greater than 8u191 are NOT susceptible to Remote Code Execution, however it is susceptible to DoS and Information Leakage (including ENV variables)
  • Promote versions <= 2019.1 and >= 2018.3
    • Utilize logstash 6.2.4. and a JDK version older than 8u191 and is susceptible to Remote Code Execution, DoS, and information leaks (including ENV variables).
  • Promote versions < 2018.3
    • Utilize logstash 5.3.2 and a JDK version older than 8u191 and is susceptible to Remote Code Execution, DoS, and Information Leakage (including ENV variables).


Cause

Security vulnerabilities CVE-2021-44228 & CVE-2021-45046 were found in the Apache Log4j library

Confirming Promote Version

Step 1 – Login to Promote
Step 2 – In the upper right corner you will see your USER ID
Step 3 – Click the 3 lines next to username
Step 4 – Select “Admin”
Step 5 – Select “Advanced” from the header
Step 6 – Scroll down to the “Build Information”
Step7 – Locate the versionAlteryx | Promote - v20XX.x.x

 

Resolution

  1. Confirm you are on a version of Promote >= 2018.3.x (i.e., 2018.4.0, 2019.1.0, 2019.2.0 etc). If you are not, please do not continue and reach out to Alteryx Support. To confirm your current version, please reference the instructions titled, “Confirming Promote Version.” section, listed above.
  2. Locate the 3 IPs for your Promote cluster (for a few customers it may be 4 IPs or more if you have added additional node(s) to your cluster)
  3. SSH into the first node of your cluster (note YOUR_PROMOTE_USER will likely be centos unless you installed Promote with a different user):
    ssh -i $PATH_TO_YOUR_PRIVATE_KEY_FILE $YOUR_PROMOTE_USER@$NODE_IP
  4. Open /etc/init/promote.yml in your favorite text editor e.g. vi /etc/init/promote.yml
  5. Now locate the image: entry under the logstash section of this file (line 2 in pictured below). Your specific image entry is dependent on the version of Promote you are running: here we are locating the entry for a 2018.3.0 installation of Promote
    logstash:
     image: "quay.io/yhat/logstash:2018.3.0"
     depends_on:
     - elasticsearch
     environment:
     SERVICE_IGNORE: always
     LOGSPOUT: ignore
     PREDICTION_LOGGING_DEV: "true"
     PREDICTION_LOGGING_PROD: "true"
  6. Replace logstash:2018.3.0 with logstash:lg-6.8.22 so the image string (line 2 pictured) below reads the following:
    logstash:
     image: "quay.io/yhat/logstash:lg-6.8.22"
     depends_on:
     - elasticsearch
     environment:
     SERVICE_IGNORE: always
     LOGSPOUT: ignore
     PREDICTION_LOGGING_DEV: "true"
     PREDICTION_LOGGING_PROD: "true"
  7. Now locate the image: entry for the elasticsearch section of this file (line 2 in pictured). Again, your specific image entry is dependent on the version of Promote you are running: here we are locating the entry for a 2018.3.0 installation of Promote:
    elasticsearch:
     image: "quay.io/yhat/elasticsearch:2018.3.0"
     env_file:
     - ./env/elasticsearch.env
     environment:
     LOGSPOUT: ignore
     RESTART_SVC_ON_CONT_FAIL: 'true'
  8. Replace elasticsearch:2018.3.0 with elasticsearch:es-6.8.22 so the image string (line 2 pictured) below reads the following:
    elasticsearch:
     image: "quay.io/yhat/elasticsearch:es-6.8.22"
     env_file:
     - ./env/elasticsearch.env
     environment:
     LOGSPOUT: ignore
     RESTART_SVC_ON_CONT_FAIL: 'true'
  9. Save your changes to the /etc/init/promote.yml file and exit the file.
  10. Repeat steps 3 - 9 on the other nodes in your cluster, ensuring you save the modified /etc/init/promote.yml file each time.
  11. SSH into the first node of your cluster again:
    ssh -i $PATH_TO_YOUR_PRIVATE_KEY_FILE $YOUR_PROMOTE_USER@$NODE_IP
  12. Pull the new logstash image onto the node: sudo docker pull quay.io/yhat/logstash:lg-6.8.22 and ensure the command completes successfully.
  13. Pull the new elasticsearch image onto the node: sudo docker pull quay.io/yhat/elasticsearch:es-6.8.22 and ensure the command completes successfully
  14. Now update the promote_logstash docker service to use the new logstash image with the command below and ensure it completes successfully:
    sudo docker service update promote_logstash --image quay.io/yhat
    /logstash:lg-6.8.22 --force
  15. Now update the promote_elasticsearch docker service to use the new elasticsearch image with the command below and and ensure it completes successfully:
    sudo docker service update promote_elasticsearch --image quay.io
    /yhat/elasticsearch:es-6.8.22 --force
  16. Check to see that the following command outputs 1/1 for promote_elasticsearch and 3/3 for promote_logstash. Also, it is important to check that the image strings in the output of the command now reference your updated image strings you set in steps 13 and 14:
    sudo docker service ls | grep
    'promote_logstash\|promote_elasticsearch'
    ##### Example Command Output ####
    kslypu39i7rg promote_elasticsearch
    replicated 1/1 quay.io/yhat/elasticsearch:
    es-6.8.22 *:9200->9200/tcp, *:9300->9300/tcp
    662hv6mb9dsf promote_logstash
    global 3/3 quay.io/yhat/logstash:lg6.8.22 *:5001->5000/tcp, *:5400->5400/tcp, *:9600-
    >9600/tcp, *:5002->5002/udp
  17. If you would like to confirm that logs are performing correctly, try deploying a Hello World model and sending a few prediction requests to it. Now visit the model in the Promote UI. Double check that you see deployment logs under the “Logs” tab of the model: 

image.png

And that you see your predictions populate under the model “History” tab of the model:
 

image.png

Additional Resources

No ratings