Dataiku 9.0 CVE 2021-44228 exposure

garrickhall
garrickhall Registered Posts: 2 ✭✭✭

Community,

CVE 2021-44228 was reported recently. The Dataiku web site states that Dataiku 10.0 is not impacted by this vulnerability. Is there any statement regarding Dataiku 9.0? I know that the application can use log4j for auditing/logging.

Thanks!


Operating system used: RHEL 7.9

Best Answers

Answers

  • rreff
    rreff Partner Posts: 14 Partner

    Hello Dataiker Team.

    This statement is not sufficient for larger companies with their own IT security department.

    Please specify in detail what your statement "We confirm that DSS 9 is not affected either" is based on.

    In addition: We now have to patch the systems immediately. For this we remove the affected 'JMSAppender.class' directly from the JAR file.

    zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class

    Please comment what impact this may have. No impact or ...

    Regards
    Roberto

  • Sergey
    Sergey Dataiker, Dataiku DSS Core Designer, Dataiku DSS & SQL, Dataiku DSS Core Concepts Posts: 365 Dataiker

    Hi @rreff

    We definitely understand and appreciate our clients' concern around log4j 2 stemming from CVE-2021-44228. As noted, Dataiku DSS is not vulnerable to the recently-reported "log4shell" vulnerability.

    In addition, Dataiku does not use the affected classes from Log4j 1.x with known vulnerabilities (CVE-2021-4104, CVE-2020-9488, and CVE-2019-17571).

    If you still want to remove or modify jar file directly -> this may work but this will be definitely not a supported setup.

Setup Info
    Tags
      Help me…