Sign up to take part
Registered users can ask their own questions, contribute to discussions, and be part of the Community!
CVE 2021-44228 was reported recently. The Dataiku web site states that Dataiku 10.0 is not impacted by this vulnerability. Is there any statement regarding Dataiku 9.0? I know that the application can use log4j for auditing/logging.
Operating system used: RHEL 7.9
Hello Dataiker Team.
This statement is not sufficient for larger companies with their own IT security department.
Please specify in detail what your statement "We confirm that DSS 9 is not affected either" is based on.
In addition: We now have to patch the systems immediately. For this we remove the affected 'JMSAppender.class' directly from the JAR file.
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
Please comment what impact this may have. No impact or ...
We definitely understand and appreciate our clients' concern around log4j 2 stemming from CVE-2021-44228. As noted, Dataiku DSS is not vulnerable to the recently-reported "log4shell" vulnerability.
In addition, Dataiku does not use the affected classes from Log4j 1.x with known vulnerabilities (CVE-2021-4104, CVE-2020-9488, and CVE-2019-17571).
If you still want to remove or modify jar file directly -> this may work but this will be definitely not a supported setup.