cancel
Showing results for 
Search instead for 
Did you mean: 


Our Response to Log4j Vulnerability & Recommended Next Steps

nenshad
DataRobot Employee
DataRobot Employee
2 0 2,907

December 15, 2021

To our valued DataRobot customers, 

I’m reaching out with an update on DataRobot’s response to the Log4j vulnerability.

On December 10, 2021, DataRobot became aware of a vulnerability in the widely used logging library Log4j (CVE-2021-44228) for Java-based applications, which is impacting enterprise applications and cloud services around the world. Since then, (CVE-2021-45046) has been issued and the situation continues to evolve.

In response to the initial and subsequent vulnerabilities, DataRobot immediately assembled a cross-functional team to assess the scope of the vulnerabilities and begin implementing steps for remediation.

Security is a foundational element of an Enterprise AI Platform. The new 7.3 release has shipped with a remediation as will all future releases. Please review the following for more detailed guidance: 

  • If you currently do not use DataRobot Scoring Code, MLOps Monitoring Agents, or Portable Prediction Servers (PPS) with MLOps Monitoring enabled, no further action is required.
  • If you are using any of the above features, the Log4j vulnerability may continue to exist in any previously generated artifact. As general guidance, please follow the Apache Security Advisory for Log4j for mitigation. As the situation evolves, new updates with new mitigations will be posted by Apache at this link. If you need further details, please review the appendix for specific mitigation steps on DataRobot artifacts to help address these risks. 
  • The DataRobot DataPrep CDH 6 connector is being patched as a priority. Customers using this feature should do so only in secured environments until a patch is applied. 
  • Other DataRobot products, including Zepl and Algorithmia, are not affected.

We would also urge you to make a plan to upgrade to DataRobot 7.3 in your current environment as soon as possible. We are happy to work with you on this upgrade and to enable your users on all of the latest capabilities that your upgrade would give them access to. 

Please do not hesitate to reach out to your account team or email support@datarobot.com if we can assist you in any way. As always, thank you for including DataRobot as a cornerstone in your AI transformation. We will provide updates on Log4j on DataRobot Community if we have new information relevant to you. For now, we wish you the happiest of holiday seasons. 

Best Regards,

Nenshad Bardoliwalla

Chief Product Officer

 


Appendix: DataRobot Customer-Managed Release

This vulnerability is dependent on which features are enabled and how they are being utilized. 

1. DataRobot Scoring Code (formerly known as "CodeGen")

DataRobot provides a capability to export ‘code’ and executable Jar files for the purpose of running predictions on other platforms.

Mitigating Actions:

Scoring Code Jars generated from trained models could be vulnerable. If your runtime environment is not already secured, please follow the current guidance provided in the following Apache Security Advisory.

2. MLOps Monitoring Agent

DataRobot provides a capability to monitor and manage ML models running outside of DataRobot’s platform via the MLOps Monitoring Agent.

Mitigating Actions:

If you are running the MLOps Monitoring Agent, and your runtime environment is not already secured, please follow the guidance from Apache Security Advisory.

3. Portable Prediction Server (PPS) with MLOps Monitoring enabled

DataRobot provides a capability to export and execute ML models in an external Docker container outside of DataRobot’s platform and monitor the execution via DataRobot’s MLOps Monitoring Agent (see 2, above). Only the Java MLOps Monitoring Agent contains the vulnerable library.

Mitigating Actions:

If your runtime environment is not already secured, please follow the current guidance provided in the following  Apache Security Advisory.

4. JDBC Driver Support

DataRobot allows customers to connect to external JDBC data sources. We recommend upgrading any JDBC driver to a release which meets the requirements of the Apache Security Advisory.

Announcements
Log4J updates

Please click here for Log4J updates.

Hey you!
We're happy to have you here. Please take a moment to introduce yourself to the community. If you haven't already, check out helpful tips for navigating through the community, as well as guidelines to keep in mind while you're sharing and learning along with the rest of us. And when you get a chance, make us better with your feedback.

Are you a DataRobot rookie?
Just getting started using the AI Cloud Platform Trial? Have a look at these basics and FAQs. Getting started with the AI Cloud Platform? Check out this Workflow overview.