This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.
Updated December 30, 2021 8:45 AM PST. We will continue to update this page as more information becomes available.
Dec 30, 2021: Replacement driver update under Third Party Software
Dec 27, 2021: Additional details on affected drivers under Third Party Software
Dec 21, 2021: Additional details on affected versions and dependencies for Promote and warning for third party tools and drivers
On Friday, December 10th, 2021, Alteryx became aware of a vulnerability in the Apache Log4j logging framework (CVE-2021-44228) known as “Log4Shell”. This vulnerability was assigned a “Critical” severity rating, with a CVSS score of 10. Successful exploitation of this vulnerability could lead to Remote Code Execution (RCE) and system-level privileges.
Products Confirmed as Not Impacted
Hyper Anna Cloud
Updates were quickly pushed to Hyper Anna cloud and customer hosted installations. No action was required on behalf of Alteryx’s customers to receive these updates.
Potentially Affected Products
All versions of Promotehave vulnerable dependencies and we recommend promptly updating Elasticsearch and Logstash Docker images. Step by step instructions are available here. If you need further assistance, contact Alteryx Support.
Older versions of Promote are also vulnerable to remote code execution through log4j. The resolution is the same as above; follow these step by step instructions. In the meantime, we encourage you to act with an abundance of caution, removing public access where possible and keeping firewalls updated. The versions of Promote that are at additional risk are:
Release Version (including sub versions)
End of Support Date
Third Party Software
Third-party software may be impacted. If you downloaded tools such as database drivers or other management tools, please refer to those vendors for support and updates.
Please note: The Apache Log4j vulnerability impacts the MongoDB driver we distributed from Magnitude Simba prior to Dec 30, 2021. We now have a resolved, certified MongoDB driver, provided by Magnitude Simba, available for download here. If you have no choice but to run an affected version, the mitigation recommended by Apache is to remove the JndiLookup class from Log4j's classpath within the driver, for instance by running the following command from an Administrator shell:
zip -q -d "C:\Program Files\Simba MongoDB ODBC Driver\Tools\SchemaEditor\app\libs\log4j-core-2.13.3.jar" org/apache/logging/log4j/core/lookup/JndiLookup.class