Security

Note

After conducting internal research, we can confirm that Dataiku DSS is not vulnerable to the “SpringShell” vulnerability (CVE-2022-22965).

Dataiku DSS does not use the specific vulnerable spring-webmvc “data binding” feature.

Dataiku DSS is not vulnerable either to the unrelated Spring Cloud Function vulnerability (CVE-2022-22963), nor to the medium-severity CVE-2022-22950.

No mitigation action nor upgrade is required. Dataiku keeps closely monitoring the security situation based on information provided by Spring and by JFrog, as it does for all of its third-party dependencies, and will take action if a vulnerability is exploitable.

Note

After conducting internal research, we can confirm that Dataiku DSS is not vulnerable to the family of vulnerabilities regarding Log4J:

  • “log4shell” vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105)

  • JMSAppender and JMSSink vulnerabilities (CVE-2021-4104, CVE-2021-44832,CVE-2022-23302)

  • JDBCAppender vulnerabilities (CVE-2022-23305)

  • SocketAppender vulnerability (CVE-2019-17571)

  • SMTPAppender vulnerability (CVE-2020-9488)

  • Chainsaw vulnerability (CVE-2022-23307)

Dataiku does not use any of the vulnerable features.

No mitigation action nor upgrade is required. Dataiku keeps closely monitoring the security situation on log4j, as it does for all of its third-party dependencies, and will take action if a vulnerability is exploitable.

Note

Dataiku DSS does not use the Nginx LDAP reference implementation and is not vulnerable to the Nginx LDAP reference implementation security vulnerabilities