Dataiku 9.0 CVE 2021-44228 exposure

Solved!
garrickhall
Level 1
Dataiku 9.0 CVE 2021-44228 exposure

Community,

CVE 2021-44228 was reported recently.  The Dataiku web site states that Dataiku 10.0 is not impacted by this vulnerability.  Is there any statement regarding Dataiku 9.0?  I know that the application can use log4j for auditing/logging.

Thanks!


Operating system used: RHEL 7.9

0 Kudos
2 Solutions
Clรฉment_Stenac

Hi, 

We confirm that DSS 9 is not affected either (nor the other versions of DSS).

View solution in original post

0 Kudos
sergeyd
Dataiker

Hi @garrickhall 

We have studied the vulnerability and confirmed that DSS is not vulnerable. No action is needed.
This is the case for all DSS versions.

View solution in original post

0 Kudos
4 Replies
Clรฉment_Stenac

Hi, 

We confirm that DSS 9 is not affected either (nor the other versions of DSS).

0 Kudos
rreff
Level 2

Hello Dataiker Team.

 

This statement is not sufficient for larger companies with their own IT security department.

Please specify in detail what your statement "We confirm that DSS 9 is not affected either" is based on.

In addition: We now have to patch the systems immediately. For this we remove the affected 'JMSAppender.class' directly from the JAR file.

zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class

Please comment what impact this may have. No impact or ...

 

Regards
Roberto

0 Kudos
sergeyd
Dataiker

Hi @rreff 

We definitely understand and appreciate our clients' concern around log4j 2 stemming from CVE-2021-44228. As noted, Dataiku DSS is not vulnerable to the recently-reported "log4shell" vulnerability. 

In addition, Dataiku does not use the affected classes from Log4j 1.x with known vulnerabilities (CVE-2021-4104, CVE-2020-9488, and CVE-2019-17571). 

If you still want to remove or modify jar file directly -> this may work but this will be definitely not a supported setup. 

sergeyd
Dataiker

Hi @garrickhall 

We have studied the vulnerability and confirmed that DSS is not vulnerable. No action is needed.
This is the case for all DSS versions.

0 Kudos