Our Response to Log4j Vulnerability & Recommended Next Steps

nenshad
DataRobot Alumni
2 0 9,564

December 15, 2021

To our valued DataRobot customers, 

I’m reaching out with an update on DataRobot’s response to the Log4j vulnerability.

On December 10, 2021, DataRobot became aware of a vulnerability in the widely used logging library Log4j (CVE-2021-44228) for Java-based applications, which is impacting enterprise applications and cloud services around the world. Since then, (CVE-2021-45046) has been issued and the situation continues to evolve.

In response to the initial and subsequent vulnerabilities, DataRobot immediately assembled a cross-functional team to assess the scope of the vulnerabilities and begin implementing steps for remediation.

Security is a foundational element of an Enterprise AI Platform. The new 7.3 release has shipped with a remediation as will all future releases. Please review the following for more detailed guidance: 

  • If you currently do not use DataRobot Scoring Code, MLOps Monitoring Agents, or Portable Prediction Servers (PPS) with MLOps Monitoring enabled, no further action is required.
  • If you are using any of the above features, the Log4j vulnerability may continue to exist in any previously generated artifact. As general guidance, please follow the Apache Security Advisory for Log4j for mitigation. As the situation evolves, new updates with new mitigations will be posted by Apache at this link. If you need further details, please review the appendix for specific mitigation steps on DataRobot artifacts to help address these risks. 
  • The DataRobot DataPrep CDH 6 connector is being patched as a priority. Customers using this feature should do so only in secured environments until a patch is applied. 
  • Other DataRobot products, including Zepl and Algorithmia, are not affected.

We would also urge you to make a plan to upgrade to DataRobot 7.3 in your current environment as soon as possible. We are happy to work with you on this upgrade and to enable your users on all of the latest capabilities that your upgrade would give them access to. 

Please do not hesitate to reach out to your account team or email support@datarobot.com if we can assist you in any way. As always, thank you for including DataRobot as a cornerstone in your AI transformation. We will provide updates on Log4j on DataRobot Community if we have new information relevant to you. For now, we wish you the happiest of holiday seasons. 

Best Regards,

Nenshad Bardoliwalla

Chief Product Officer

 


Appendix: DataRobot Customer-Managed Release

This vulnerability is dependent on which features are enabled and how they are being utilized. 

1. DataRobot Scoring Code (formerly known as "CodeGen")

DataRobot provides a capability to export ‘code’ and executable Jar files for the purpose of running predictions on other platforms.

Mitigating Actions:

Scoring Code Jars generated from trained models could be vulnerable. If your runtime environment is not already secured, please follow the current guidance provided in the following Apache Security Advisory.

2. MLOps Monitoring Agent

DataRobot provides a capability to monitor and manage ML models running outside of DataRobot’s platform via the MLOps Monitoring Agent.

Mitigating Actions:

If you are running the MLOps Monitoring Agent, and your runtime environment is not already secured, please follow the guidance from Apache Security Advisory.

3. Portable Prediction Server (PPS) with MLOps Monitoring enabled

DataRobot provides a capability to export and execute ML models in an external Docker container outside of DataRobot’s platform and monitor the execution via DataRobot’s MLOps Monitoring Agent (see 2, above). Only the Java MLOps Monitoring Agent contains the vulnerable library.

Mitigating Actions:

If your runtime environment is not already secured, please follow the current guidance provided in the following  Apache Security Advisory.

4. JDBC Driver Support

DataRobot allows customers to connect to external JDBC data sources. We recommend upgrading any JDBC driver to a release which meets the requirements of the Apache Security Advisory.

Announcements
Welcome to the DataRobot Community! Just getting started? Check out these resources:
Complete documentation
Release announcements.
• Community guidelines and other resources.