This site uses different types of cookies, including analytics and functional cookies (its own and from other sites). To change your cookie settings or find out more, click here. If you continue browsing our website, you accept these cookies.

Learn more
I AGREE
Reject
Calling all Racers for the Alteryx Grand Prix! It's time to rev your engines and race to the stage at Inspire! Sign up here.
3/24/2023: We are aware of the missing content issue and are currently looking into the matter. We appreciate your patience as we get this resolved.
community Data Science Portal Alteryx.com
alteryx Community
Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Close
Free Trial

Alteryx Promote Knowledge Base

Definitive answers from Promote experts.

Alteryx Promote - Apache Log4j2 vulnerability

kchen
Alteryx
Alteryx
Created

on ‎12-21-2021 08:22 PM - edited on ‎12-21-2021 10:23 PM by Alteryx

Issue

Recently found vulnerabilities allow for remote code execution, Alteryx has identified security vulnerabilities in our Alteryx Promote product.  
 

Environment Details

  • Alteryx Promote

Technical Impact:

The following two Promote services have been identified as at risk: logstash and elasticsearch.

Elasticsearch:
  • Promote versions <= 2019.1 and >= 2018.3
    • Utilize elasticsearch 6.2.4 and Java Development Kit (JDK) version 8u161. This is susceptible to Information Leakage via DNS and Denial of Service (DoS) attack. Due to the existence of Java Security Manager, the JDK is not vulnerable to Remote Code Execution (RCE).
  • Promote versions < 2018.3
    • Utilize elasticsearch 5.6.4 and is susceptible to RCE, DoS attack, and Information Leakage
Logstash:
  • Promote versions >= 2019.2
    • Utilize logstash 6.6.2 and JDK 8u201. According to official guidance, JDKs greater than 8u191 are NOT susceptible to Remote Code Execution, however it is susceptible to DoS and Information Leakage (including ENV variables)
  • Promote versions <= 2019.1 and >= 2018.3
    • Utilize logstash 6.2.4. and a JDK version older than 8u191 and is susceptible to Remote Code Execution, DoS, and information leaks (including ENV variables).
  • Promote versions < 2018.3
    • Utilize logstash 5.3.2 and a JDK version older than 8u191 and is susceptible to Remote Code Execution, DoS, and Information Leakage (including ENV variables).


Cause

Security vulnerabilities CVE-2021-44228 & CVE-2021-45046 were found in the Apache Log4j library

Confirming Promote Version

Step 1 – Login to Promote
Step 2 – In the upper right corner you will see your USER ID
Step 3 – Click the 3 lines next to username
Step 4 – Select “Admin”
Step 5 – Select “Advanced” from the header
Step 6 – Scroll down to the “Build Information”
Step7 – Locate the versionAlteryx | Promote - v20XX.x.x

 

Resolution

  1. Confirm you are on a version of Promote >= 2018.3.x (i.e., 2018.4.0, 2019.1.0, 2019.2.0 etc). If you are not, please do not continue and reach out to Alteryx Support. To confirm your current version, please reference the instructions titled, “Confirming Promote Version.” section, listed above.
  2. Locate the 3 IPs for your Promote cluster (for a few customers it may be 4 IPs or more if you have added additional node(s) to your cluster)
  3. SSH into the first node of your cluster (note YOUR_PROMOTE_USER will likely be centos unless you installed Promote with a different user): 
    ssh -i $PATH_TO_YOUR_PRIVATE_KEY_FILE $YOUR_PROMOTE_USER@$NODE_IP
  4. Open /etc/init/promote.yml in your favorite text editor e.g. vi /etc/init/promote.yml
  5. Now locate the image: entry under the logstash section of this file (line 2 in pictured below). Your specific image entry is dependent on the version of Promote you are running: here we are locating the entry for a 2018.3.0 installation of Promote 
    logstash:
 image: "quay.io/yhat/logstash:2018.3.0"
 depends_on:
 - elasticsearch
 environment:
 SERVICE_IGNORE: always
 LOGSPOUT: ignore
 PREDICTION_LOGGING_DEV: "true"
 PREDICTION_LOGGING_PROD: "true"
  6. Replace logstash:2018.3.0 with logstash:lg-6.8.22 so the image string (line 2 pictured) below reads the following: 
    logstash:
 image: "quay.io/yhat/logstash:lg-6.8.22"
 depends_on:
 - elasticsearch
 environment:
 SERVICE_IGNORE: always
 LOGSPOUT: ignore
 PREDICTION_LOGGING_DEV: "true"
 PREDICTION_LOGGING_PROD: "true"
  7. Now locate the image: entry for the elasticsearch section of this file (line 2 in pictured). Again, your specific image entry is dependent on the version of Promote you are running: here we are locating the entry for a 2018.3.0 installation of Promote: 
    elasticsearch:
 image: "quay.io/yhat/elasticsearch:2018.3.0"
 env_file:
 - ./env/elasticsearch.env
 environment:
 LOGSPOUT: ignore
 RESTART_SVC_ON_CONT_FAIL: 'true'
  8. Replace elasticsearch:2018.3.0 with elasticsearch:es-6.8.22 so the image string (line 2 pictured) below reads the following: 
    elasticsearch:
 image: "quay.io/yhat/elasticsearch:es-6.8.22"
 env_file:
 - ./env/elasticsearch.env
 environment:
 LOGSPOUT: ignore
 RESTART_SVC_ON_CONT_FAIL: 'true'
  9. Save your changes to the /etc/init/promote.yml file and exit the file.
  10. Repeat steps 3 - 9 on the other nodes in your cluster, ensuring you save the modified /etc/init/promote.yml file each time.
  11. SSH into the first node of your cluster again: 
    ssh -i $PATH_TO_YOUR_PRIVATE_KEY_FILE $YOUR_PROMOTE_USER@$NODE_IP
  12. Pull the new logstash image onto the node: sudo docker pull quay.io/yhat/logstash:lg-6.8.22 and ensure the command completes successfully.
  13. Pull the new elasticsearch image onto the node: sudo docker pull quay.io/yhat/elasticsearch:es-6.8.22 and ensure the command completes successfully
  14. Now update the promote_logstash docker service to use the new logstash image with the command below and ensure it completes successfully: 
    sudo docker service update promote_logstash --image quay.io/yhat
/logstash:lg-6.8.22 --force
  15. Now update the promote_elasticsearch docker service to use the new elasticsearch image with the command below and and ensure it completes successfully: 
    sudo docker service update promote_elasticsearch --image quay.io
/yhat/elasticsearch:es-6.8.22 --force
  16. Check to see that the following command outputs 1/1 for promote_elasticsearch and 3/3 for promote_logstash. Also, it is important to check that the image strings in the output of the command now reference your updated image strings you set in steps 13 and 14: 
    sudo docker service ls | grep
'promote_logstash\|promote_elasticsearch'
##### Example Command Output ####
kslypu39i7rg promote_elasticsearch
replicated 1/1 quay.io/yhat/elasticsearch:
es-6.8.22 *:9200->9200/tcp, *:9300->9300/tcp
662hv6mb9dsf promote_logstash
global 3/3 quay.io/yhat/logstash:lg6.8.22 *:5001->5000/tcp, *:5400->5400/tcp, *:9600-
>9600/tcp, *:5002->5002/udp
  17. If you would like to confirm that logs are performing correctly, try deploying a Hello World model and sending a few prediction requests to it. Now visit the model in the Promote UI. Double check that you see deployment logs under the “Logs” tab of the model: 

image.png

And that you see your predictions populate under the model “History” tab of the model:
 

image.png

Additional Resources

Contributors