PwnKit Linux vulnerability (CVE-2021-4034)

Information

• Advisory ID: DSA-2022-001 (original vulnerability: CVE-2021-4034)

• CVSS Base Score: 8.8

• CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

• Severity: High

• CWE classification: CWE-787 / CWE-125

Summary

A Local Privilege Escalation was found in the “PolicyKit” component of all major Linux distributions. This allows hostile local users to gain root access.

Cloud Stacks DSS instances are affected by this vulnerability.

Affected Products

• Dataiku DSS 9.0.6 and previous versions (Cloud Stacks deployments)

• Dataiku DSS 10.0.2 and previous versions (Cloud Stacks deployments)

Warning

Non-Cloud Stacks deployments may be affected too. However, for these deployments, Dataiku software does not manage the base OS in which the vulnerability lies.

Please refer to the mitigation instructions from your OS vendor

Fix

Dataiku DSS 9.0.7 and 10.0.3 have been released and address the vulnerability

Mitigation

To fix the vulnerability without upgrading to DSS 9.0.7 or 10.0.3, please follow these instructions:

• Log onto your Fleet Manager

• Go to the Instance template (or Instance templates) used by your instances

• Add a setup action of type “Run Ansible Tasks”. Make sure “After DSS start” is selected as the Stage

• Enter the following Ansible command

---
- become: true
  command: /usr/bin/yum update -y polkit

• Save the instance template

• For each instance, go to the instance page, and click on Actions > Replay Setup Actions

• Your DSS instance is now safe from the vulnerability

Timeline

• January 25th, 2022 (5pm): Vulnerability is disclosed

• January 26th, 2022: Dataiku publishes mitigation instructions

• January 27th, 2022: Dataiku notifies affected customers

• January 28th, 2022: Dataiku publishes fixed version

If you encounter any issue following this procedure, or for any additional question, please feel free to reach out to Dataiku Support.