Dataiku 9.0 CVE 2021-44228 exposure
Community,
CVE 2021-44228 was reported recently. The Dataiku web site states that Dataiku 10.0 is not impacted by this vulnerability. Is there any statement regarding Dataiku 9.0? I know that the application can use log4j for auditing/logging.
Thanks!
Operating system used: RHEL 7.9
Best Answers
-
Hi,
We confirm that DSS 9 is not affected either (nor the other versions of DSS).
-
Sergey Dataiker, Dataiku DSS Core Designer, Dataiku DSS & SQL, Dataiku DSS Core Concepts Posts: 365 Dataiker
Hi @garrickhall
We have studied the vulnerability and confirmed that DSS is not vulnerable. No action is needed.
This is the case for all DSS versions.
Answers
-
Hello Dataiker Team.
This statement is not sufficient for larger companies with their own IT security department.
Please specify in detail what your statement "We confirm that DSS 9 is not affected either" is based on.
In addition: We now have to patch the systems immediately. For this we remove the affected 'JMSAppender.class' directly from the JAR file.
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
Please comment what impact this may have. No impact or ...
Regards
Roberto -
Sergey Dataiker, Dataiku DSS Core Designer, Dataiku DSS & SQL, Dataiku DSS Core Concepts Posts: 365 Dataiker
Hi @rreff
We definitely understand and appreciate our clients' concern around log4j 2 stemming from CVE-2021-44228. As noted, Dataiku DSS is not vulnerable to the recently-reported "log4shell" vulnerability.
In addition, Dataiku does not use the affected classes from Log4j 1.x with known vulnerabilities (CVE-2021-4104, CVE-2020-9488, and CVE-2019-17571).
If you still want to remove or modify jar file directly -> this may work but this will be definitely not a supported setup.