Community Spring Cleaning week is here! Join your fellow Maveryx in digging through your old posts and marking comments on them as solved. Learn more here!

Analytics

News, events, thought leadership and more.
MichelleP
Alteryx Alumni (Retired)

Updated December 30, 2021 8:45 AM PST. We will continue to update this page as more information becomes available. 

 

**UPDATED**

  • Dec 30, 2021: Replacement driver update under Third Party Software
  • Dec 27, 2021: Additional details on affected drivers under Third Party Software
  • Dec 21, 2021: Additional details on affected versions and dependencies for Promote and warning for third party tools and drivers

______________

On Friday, December 10th, 2021, Alteryx became aware of a vulnerability in the Apache Log4j logging framework (CVE-2021-44228) known as “Log4Shell”. This vulnerability was assigned a “Critical” severity rating, with a CVSS score of 10. Successful exploitation of this vulnerability could lead to Remote Code Execution (RCE) and system-level privileges.

 

Products Confirmed as Not Impacted 

 

  • Analytics Hub 
  • Connect 
  • Designer 
  • Designer Cloud 
  • Intelligence Suite 
  • Lore IO 
  • Machine Learning 
  • Public Gallery 
  • Server/Gallery 

Patched Products

 

  • Hyper Anna 
  • Hyper Anna Cloud 

 

Updates were quickly pushed to Hyper Anna cloud and customer hosted installations. No action was required on behalf of Alteryx’s customers to receive these updates. 

 

Potentially Affected Products 

 

  • Promote
    • All versions of Promote have vulnerable dependencies and we recommend promptly updating Elasticsearch and Logstash Docker images. Step by step instructions are available here.  If you need further assistance, contact Alteryx Support.
    • Older versions of Promote are also vulnerable to remote code execution through log4j. The resolution is the same as above; follow these step by step instructions.  In the meantime, we encourage you to act with an abundance of caution, removing public access where possible and keeping firewalls updated. The versions of Promote that are at additional risk are:

Release Version
(including sub versions)

Released Date

End of Support Date

2019.1

2/13/2019

8/13/2020

2018.4

12/4/2018

6/4/2020

2018.4

11/14/2018

5/14/2020

2018.3

8/27/2018

2/27/2020

2018.2

5/31/2018

12/1/2019

2018.1

3/6/2018

9/6/2019

 

  • Third Party Software

    • Third-party software may be impacted. If you downloaded tools such as database drivers or other management tools, please refer to those vendors for support and updates.
    • Please note: The Apache Log4j vulnerability impacts the MongoDB driver we distributed from Magnitude Simba prior to Dec 30, 2021. We now have a resolved, certified MongoDB driver, provided by Magnitude Simba, available for download here.  
      If you have no choice but to run an affected version, the mitigation recommended by Apache is to remove the JndiLookup class from Log4j's classpath within the driver, for instance by running the following command from an Administrator shell:  

zip -q -d "C:\Program Files\Simba MongoDB ODBC Driver\Tools\SchemaEditor\app\libs\log4j-core-2.13.3.jar" org/apache/logging/log4j/core/lookup/JndiLookup.class

 

Michelle Pelletier
Vice President, Global Customer Support

Comments
BobR
8 - Asteroid

It concerns me that remediation seems focused on firewalls and customer facing systems. This can impact backend systems too that may at some point in time offline process user supplied data. 

Franz
9 - Comet

G'Day team, is Desktop Automation affected?

Thx.

F.

MattH
Alteryx
Alteryx

Desktop Automation is the same as Designer, it's just a switch in the license that turns it on and off.  So Desktop Automation would not be affected.