Sign up to take part
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
Community,
CVE 2021-44228 was reported recently. The Dataiku web site states that Dataiku 10.0 is not impacted by this vulnerability. Is there any statement regarding Dataiku 9.0? I know that the application can use log4j for auditing/logging.
Thanks!
Operating system used: RHEL 7.9
Hi,
We confirm that DSS 9 is not affected either (nor the other versions of DSS).
Hi @garrickhall
We have studied the vulnerability and confirmed that DSS is not vulnerable. No action is needed.
This is the case for all DSS versions.
Hi,
We confirm that DSS 9 is not affected either (nor the other versions of DSS).
Hello Dataiker Team.
This statement is not sufficient for larger companies with their own IT security department.
Please specify in detail what your statement "We confirm that DSS 9 is not affected either" is based on.
In addition: We now have to patch the systems immediately. For this we remove the affected 'JMSAppender.class' directly from the JAR file.
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
Please comment what impact this may have. No impact or ...
Regards
Roberto
Hi @rreff
We definitely understand and appreciate our clients' concern around log4j 2 stemming from CVE-2021-44228. As noted, Dataiku DSS is not vulnerable to the recently-reported "log4shell" vulnerability.
In addition, Dataiku does not use the affected classes from Log4j 1.x with known vulnerabilities (CVE-2021-4104, CVE-2020-9488, and CVE-2019-17571).
If you still want to remove or modify jar file directly -> this may work but this will be definitely not a supported setup.
Hi @garrickhall
We have studied the vulnerability and confirmed that DSS is not vulnerable. No action is needed.
This is the case for all DSS versions.