To report a possible security vulnerability, please email support@h2o.ai
12/30/21 – H2O.ai’s response to CVE-2021-44832
The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability reported on Dec 28, 2021 in CVE-2021-44832. Detailed information about the CVE is available at
Versions Affected: all log4j-core versions >=2.0-alpha7 and <=2.17.0 excluding 2.3.2 and 2.12.4
Severity: Medium CVSS Score: 6.5
Fixed Version: 2.17.1
H2O.ai has already released patches to address the earlier critical CVE’s (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) reported in the log4j library. However the latest CVE-2021-44832 affects the 2.17.0 version of log4j used in H2O.ai software.
H2O.ai will be releasing patched versions of all of its affected software. Please see the table below for the release schedule.
For any additional questions, reach out to H2O.ai support at support@h2o.ai.
Actions Taken
Upgrade software to version 2.17.1 of log4j library that contains this fix.
| Product | Versions affected | Fixed Version/Patch | Release date |
|---|---|---|---|
| H2O-3 | 3.32.1.7-3.34.0.7 | 3.36.0.1, change set | 12/29/2021 |
| H2O Driverless AI | 1.10.x | 1.10.1.3 | 1/10/2022 |
| H2O Driverless AI | 1.9.1.1 – 1.9.3.x | Patch available | 1/10/2022 |
| MLOps Model Scorer | ALL | Patch available | 1/10/2022 |
| H2O AI Cloud – Hybrid | Deployments with versions above | Patch available | 1/10/2022 |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
12/23/21 – H2O.ai’s response to CVE-2021-45105
| Product | Fixed Version/Patch | Release date |
|---|---|---|
| H2O-3 | 3.34.0.7 released, change set | 12/21/2021 |
| H2O Driverless AI | 1.10.1.2 released | 12/23/2021 |
| H2O Driverless AI | 1.9.X Patch ready including patched Docker images | 12/23/2021 |
| MLOps Model Scorer | Patch ready, contact support | 12/23/2021 |
| H2O AI Cloud – Hybrid | Contact support | 12/23/2021 |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
12/21/2021 – H2O.ai’s response to CVE-2021-45105
The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability found on Dec 18, 2021, in CVE-2021-45105. Detailed information about the CVE is available here.
Log4j is a Java-based logging utility found in a wide number of software products.Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.16.0
Severity: High
Fixed Version: 2.17.0
H2O.ai will be releasing patched versions of all of its affected software. Please see the table below for the release schedule.For any additional questions, reach out to H2O.ai support at support@h2o.ai.
Affected Products
- H2O-3 versions 3.32.1.7 – 3.34.0.6
- AutoViz service in Driverless AI version 1.9.1.x-1.9.3.x
- Driverless AI versions 1.10.x
- MLOps scorer
- H2O AI Cloud – Hybrid
- H2O AI Cloud – Fully Managed
Actions Taken
Upgrade software to version 2.17.0 of log4j library that contains this fix.
| Product | Fixed Version/Patch | ETA |
|---|---|---|
| H2O-3 | 3.34.0.7 released, change set | 12/21/2021 |
| H2O Driverless AI | 1.10.1.2 being tested | ETA 12/23/2021 |
| H2O Driverless AI | 1.9.X Patch being tested | ETA 12/23/2021 |
| MLOps Model Scorer | Patch ready, being tested | ETA 12/23/2021 |
| H2O AI Cloud – Hybrid | ETA 12/23/2021 | |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
12/18/2021 -H2O.ai’s response to CVE-2021-45105
The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability found on Dec 18, 2021, in CVE-2021-45105. Detailed information about the CVE is available here.
Log4j is a Java-based logging utility found in a wide number of software products.
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.16.0
Severity: High
Fixed Version: 2.17.0
H2O.ai has released patches for its affected software to address the earlier critical CVE’s (CVE-2021-44228 and CVE-2021-45046). In the meanwhile, H2O.ai is working with customers to update them to the latest patched version of the product which upgrades to log4j 2.16.
For any additional questions, reach out to H2O.ai support at support@h2o.ai.
12/15/2021 – H2O’s updated response to CVE-2021-44228 and subsequent CVE-2021-45046 (“Log4Shell”)
Today we released a new version of Open Source H2O-3 (3.34.0.6) with a updated log4j dependency to version 2.16.0 that solves CVE-2021-44228 and CVE-2021-45046 by disabling JNDI by default. The customers who used JNDI in their log4j configurations are required to set system property `log4j2.enableJndi` to `true`.
Affected Products
| Product | Fixed Version/Patch | ETA |
|---|---|---|
| H2O 3 | 3.34.0.6 | Released on 12/15/2021 |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
| H2O Driverless AI | 1.10.1.1 1.9.X Contact Support | Released on 12/15/2021 |
| MLOps Model Scorer | Patch ready, contact support to apply it. | Released on 12/17/2021 |
12/14/2021 – H2O’s updated response to CVE-2021-44228 and subsequent CVE-2021-45046 (“Log4Shell”)
The H2O.ai team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228 and CVE-2021-45046), also known as Log4Shell.
Log4j is a Java-based logging utility found in a wide number of software products.
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.15.0
Fixed Version: 2.16.0
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. The vulnerability CVE-2021-45046 was published on Tuesday, December 14, 2021 to track this. If exploited, it could potentially allow a remote attacker to execute code on the server. The log4j version 2.16.0 addresses this vulnerability by removing support for message lookup patterns and disabling JNDI functionality by default.
As soon as H2O.ai learned of this vulnerability, we promptly evaluated all our released software versions and cloud-hosted systems to determine what might be impacted and methodically set about remediating any exposure. See Actions Taken below for detail on the steps we’ve taken.
As more information becomes available, we will update this page. For any additional questions, reach out to H2O.ai support at support@h2o.ai
Affected Products
| Product | Fixed Version/Patch | ETA |
|---|---|---|
| H2O-3 | 3.34.0.6 coming shortly | 12/15/2021 |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
Customer Recommendations
For customers using the H2O AI Cloud – Fully Managed deployment, there is no action required. We’ve already secured the environment.
For H2O.ai software, customers can choose to either remediate themselves (or by reaching out to support), using the steps highlighted in “Other Mitigations” or wait for the upcoming releases.
Other Mitigations
We also recommend customers check whether any other (non-H2O.ai) software they are running may be impacted and check in with applicable vendors for available patches.
Customers unable to patch affected software should also consider the mitigation strategies outlined below.
- Deploy a WAF with rules specific to the exploitation observed around this vulnerability.
- In log4j versions from 2.10 to 2.15.0:
- Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
12/13/2021 – H2O’s response to CVE-2021-44228 (“Log4Shell”)
The H2O.ai team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell.
Log4j is a Java-based logging utility found in a wide number of software products.
Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
Fixed Version: 2.15.0
As soon as H2O.ai learned of this vulnerability, we promptly evaluated all our released software versions and cloud-hosted systems to determine what might be impacted and methodically set about remediating any exposure. See Actions Taken below for detail on the steps we’ve taken.
As more information becomes available, we will update this page. For any additional questions, reach out to H2O.ai support at support@h2o.ai
Affected Products
| Product | Fixed Version/Patch | ETA |
|---|---|---|
| H2O-3 | 3.34.0.5 | Released on 12/13/2021 |
| H2O AI Cloud – Fully Managed | Remediated | 12/10/2021 |
Customer Recommendations
For customers using the H2O AI Cloud – Fully Managed deployment, there is no action required. We’ve already secured the environment.
H2O-3 has a release ready, so systems should be patched as soon as possible.
Other Mitigations
We also recommend customers check whether any other (non-H2O.ai) software they are running may be impacted and check in with applicable vendors for available patches.
Customers unable to patch affected software should also consider the mitigation strategies outlined below.
- Deploy a WAF with rules specific to the exploitation observed around this vulnerability.
- Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.
- In log4j versions from 2.10 to 2.14.1:
- Set the system property log4j2.formatMsgNoLookups to true, or
- Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class