PwnKit Linux vulnerability (CVE-2021-4034)¶
Information¶
Advisory ID: DSA-2022-001 (original vulnerability: CVE-2021-4034)
CVSS Base Score: 8.8
CVSS String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: High
CWE classification: CWE-787 / CWE-125
Summary¶
A Local Privilege Escalation was found in the “PolicyKit” component of all major Linux distributions. This allows hostile local users to gain root access.
Cloud Stacks DSS instances are affected by this vulnerability.
Affected Products¶
Dataiku DSS 9.0.6 and previous versions (Cloud Stacks deployments)
Dataiku DSS 10.0.2 and previous versions (Cloud Stacks deployments)
Warning
Non-Cloud Stacks deployments may be affected too. However, for these deployments, Dataiku software does not manage the base OS in which the vulnerability lies.
Please refer to the mitigation instructions from your OS vendor
Fix¶
Dataiku DSS 9.0.7 and 10.0.3 have been released and address the vulnerability
Mitigation¶
To fix the vulnerability without upgrading to DSS 9.0.7 or 10.0.3, please follow these instructions:
Log onto your Fleet Manager
Go to the Instance template (or Instance templates) used by your instances
Add a setup action of type “Run Ansible Tasks”. Make sure “After DSS start” is selected as the Stage
Enter the following Ansible command
---
- become: true
command: /usr/bin/yum update -y polkit
Save the instance template
For each instance, go to the instance page, and click on Actions > Replay Setup Actions
Your DSS instance is now safe from the vulnerability
Timeline¶
January 25th, 2022 (5pm): Vulnerability is disclosed
January 26th, 2022: Dataiku publishes mitigation instructions
January 27th, 2022: Dataiku notifies affected customers
January 28th, 2022: Dataiku publishes fixed version
If you encounter any issue following this procedure, or for any additional question, please feel free to reach out to Dataiku Support.