December 15, 2021
To our valued DataRobot customers,
I’m reaching out with an update on DataRobot’s response to the Log4j vulnerability.
On December 10, 2021, DataRobot became aware of a vulnerability in the widely used logging library Log4j (CVE-2021-44228) for Java-based applications, which is impacting enterprise applications and cloud services around the world. Since then, (CVE-2021-45046) has been issued and the situation continues to evolve.
In response to the initial and subsequent vulnerabilities, DataRobot immediately assembled a cross-functional team to assess the scope of the vulnerabilities and begin implementing steps for remediation.
Security is a foundational element of an Enterprise AI Platform. The new 7.3 release has shipped with a remediation as will all future releases. Please review the following for more detailed guidance:
We would also urge you to make a plan to upgrade to DataRobot 7.3 in your current environment as soon as possible. We are happy to work with you on this upgrade and to enable your users on all of the latest capabilities that your upgrade would give them access to.
Please do not hesitate to reach out to your account team or email support@datarobot.com if we can assist you in any way. As always, thank you for including DataRobot as a cornerstone in your AI transformation. We will provide updates on Log4j on DataRobot Community if we have new information relevant to you. For now, we wish you the happiest of holiday seasons.
Best Regards,
Nenshad Bardoliwalla
Chief Product Officer
This vulnerability is dependent on which features are enabled and how they are being utilized.
DataRobot provides a capability to export ‘code’ and executable Jar files for the purpose of running predictions on other platforms.
Scoring Code Jars generated from trained models could be vulnerable. If your runtime environment is not already secured, please follow the current guidance provided in the following Apache Security Advisory.
DataRobot provides a capability to monitor and manage ML models running outside of DataRobot’s platform via the MLOps Monitoring Agent.
If you are running the MLOps Monitoring Agent, and your runtime environment is not already secured, please follow the guidance from Apache Security Advisory.
DataRobot provides a capability to export and execute ML models in an external Docker container outside of DataRobot’s platform and monitor the execution via DataRobot’s MLOps Monitoring Agent (see 2, above). Only the Java MLOps Monitoring Agent contains the vulnerable library.
If your runtime environment is not already secured, please follow the current guidance provided in the following Apache Security Advisory.
DataRobot allows customers to connect to external JDBC data sources. We recommend upgrading any JDBC driver to a release which meets the requirements of the Apache Security Advisory.