Return to page

To report a possible security vulnerability, please email support@h2o.ai

 

12/30/21 – H2O.ai’s response to CVE-2021-44832

The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability reported on Dec 28, 2021 in CVE-2021-44832. Detailed information about the CVE is available at

  1. Apache logging services and

  2. A detailed blog post

Versions Affected: all log4j-core versions >=2.0-alpha7 and <=2.17.0 excluding 2.3.2 and 2.12.4
Severity: Medium CVSS Score: 6.5
Fixed Version: 2.17.1

H2O.ai has already released patches to address the earlier critical CVE’s (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) reported in the log4j library. However the latest CVE-2021-44832 affects the 2.17.0 version of log4j used in H2O.ai software.
H2O.ai will be releasing patched versions of all of its affected software. Please see the table below for the release schedule.

For any additional questions, reach out to H2O.ai support at support@h2o.ai.

Actions Taken

Upgrade software to version 2.17.1 of log4j library that contains this fix.

Product Versions affected Fixed Version/Patch Release date
H2O-3 3.32.1.7-3.34.0.7 3.36.0.1change set 12/29/2021
H2O Driverless AI 1.10.x 1.10.1.3 1/10/2022
H2O Driverless AI 1.9.1.1 – 1.9.3.x Patch available 1/10/2022
MLOps Model Scorer ALL Patch available 1/10/2022
H2O AI Cloud – Hybrid Deployments with versions above Patch available 1/10/2022
H2O AI Cloud – Fully Managed   Remediated 12/10/2021

 

12/23/21 – H2O.ai’s response to CVE-2021-45105

Product Fixed Version/Patch Release date
H2O-3 3.34.0.7 released, change set 12/21/2021
H2O Driverless AI 1.10.1.2 released 12/23/2021
H2O Driverless AI 1.9.X Patch ready including patched Docker images 12/23/2021
MLOps Model Scorer Patch ready, contact support 12/23/2021
H2O AI Cloud – Hybrid Contact support 12/23/2021
H2O AI Cloud – Fully Managed Remediated 12/10/2021

 

12/21/2021 – H2O.ai’s response to CVE-2021-45105

The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability found on Dec 18, 2021, in CVE-2021-45105. Detailed information about the CVE is available here.

Log4j is a Java-based logging utility found in a wide number of software products.Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.16.0
Severity: High
Fixed Version: 2.17.0
H2O.ai will be releasing patched versions of all of its affected software. Please see the table below for the release schedule.For any additional questions, reach out to H2O.ai support at support@h2o.ai.

Affected Products

  1. H2O-3 versions 3.32.1.7 – 3.34.0.6
  2. AutoViz service in Driverless AI version 1.9.1.x-1.9.3.x
  3. Driverless AI versions 1.10.x
  4. MLOps scorer
  5. H2O AI Cloud – Hybrid
  6. H2O AI Cloud – Fully Managed

Actions Taken

Upgrade software to version 2.17.0 of log4j library that contains this fix.

Product Fixed Version/Patch ETA
H2O-3 3.34.0.7 released, change set 12/21/2021
H2O Driverless AI 1.10.1.2 being tested ETA 12/23/2021
H2O Driverless AI 1.9.X Patch being tested ETA 12/23/2021
MLOps Model Scorer Patch ready, being tested ETA 12/23/2021
H2O AI Cloud – Hybrid   ETA 12/23/2021
H2O AI Cloud – Fully Managed Remediated 12/10/2021

 

 

12/18/2021 -H2O.ai’s response to CVE-2021-45105

The H2O.ai team is evaluating the latest Log4j Java library remote code execution (RCE) vulnerability found on Dec 18, 2021, in CVE-2021-45105. Detailed information about the CVE is available here.

Log4j is a Java-based logging utility found in a wide number of software products.

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.16.0
Severity: High
Fixed Version: 2.17.0

H2O.ai has released patches for its affected software to address the earlier critical CVE’s (CVE-2021-44228 and CVE-2021-45046). In the meanwhile, H2O.ai is working with customers to update them to the latest patched version of the product which upgrades to log4j 2.16.

For any additional questions, reach out to H2O.ai support at support@h2o.ai.

 

12/15/2021 – H2O’s updated response to CVE-2021-44228 and subsequent CVE-2021-45046 (“Log4Shell”)

Today we released a new version of Open Source H2O-3 (3.34.0.6) with a updated log4j dependency to version 2.16.0 that solves CVE-2021-44228 and CVE-2021-45046 by disabling JNDI by default. The customers who used JNDI in their log4j configurations are required to set system property `log4j2.enableJndi` to `true`.

Affected Products

Product Fixed Version/Patch ETA
H2O 3 3.34.0.6 Released on 12/15/2021
H2O AI Cloud – Fully Managed Remediated 12/10/2021
H2O Driverless AI 1.10.1.1
1.9.X Contact Support
Released on 12/15/2021
MLOps Model Scorer Patch ready, contact support to apply it. Released on 12/17/2021

 

12/14/2021 – H2O’s updated response to CVE-2021-44228 and subsequent CVE-2021-45046 (“Log4Shell”)

The H2O.ai team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228 and CVE-2021-45046), also known as Log4Shell.

Log4j is a Java-based logging utility found in a wide number of software products.

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.15.0
Fixed Version: 2.16.0

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. The vulnerability CVE-2021-45046 was published on Tuesday, December 14, 2021 to track this. If exploited, it could potentially allow a remote attacker to execute code on the server. The log4j version 2.16.0 addresses this vulnerability by removing support for message lookup patterns and disabling JNDI functionality by default.

As soon as H2O.ai learned of this vulnerability, we promptly evaluated all our released software versions and cloud-hosted systems to determine what might be impacted and methodically set about remediating any exposure. See Actions Taken below for detail on the steps we’ve taken.

As more information becomes available, we will update this page. For any additional questions, reach out to H2O.ai support at support@h2o.ai

Affected Products

Product Fixed Version/Patch ETA
H2O-3 3.34.0.6 coming shortly 12/15/2021
H2O AI Cloud – Fully Managed Remediated 12/10/2021

 

 

Customer Recommendations

For customers using the H2O AI Cloud – Fully Managed deployment, there is no action required. We’ve already secured the environment.

For H2O.ai software, customers can choose to either remediate themselves (or by reaching out to support), using the steps highlighted in “Other Mitigations” or wait for the upcoming releases.

Other Mitigations

We also recommend customers check whether any other (non-H2O.ai) software they are running may be impacted and check in with applicable vendors for available patches.

Customers unable to patch affected software should also consider the mitigation strategies outlined below.

    • Deploy a WAF with rules specific to the exploitation observed around this vulnerability. 
    • In log4j versions from 2.10 to 2.15.0:
      • Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

 

12/13/2021 – H2O’s response to CVE-2021-44228 (“Log4Shell”)

The H2O.ai team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell.

Log4j is a Java-based logging utility found in a wide number of software products.

Versions Affected: all log4j-core versions >=2.0-beta9 and <=2.14.1
Fixed Version: 2.15.0

 

As soon as H2O.ai learned of this vulnerability, we promptly evaluated all our released software versions and cloud-hosted systems to determine what might be impacted and methodically set about remediating any exposure. See Actions Taken below for detail on the steps we’ve taken.

 

As more information becomes available, we will update this page. For any additional questions, reach out to H2O.ai support at support@h2o.ai

 

Affected Products

Product Fixed Version/Patch ETA
H2O-3 3.34.0.5 Released on 12/13/2021
H2O AI Cloud – Fully Managed Remediated 12/10/2021

 

 

Customer Recommendations

For customers using the H2O AI Cloud – Fully Managed deployment, there is no action required. We’ve already secured the environment.

H2O-3 has a release ready, so systems should be patched as soon as possible.

Other Mitigations

We also recommend customers check whether any other (non-H2O.ai) software they are running may be impacted and check in with applicable vendors for available patches.

Customers unable to patch affected software should also consider the mitigation strategies outlined below.

    • Deploy a WAF with rules specific to the exploitation observed around this vulnerability. 
    • Consider blocking LDAP and RMI outbound traffic to the internet from vulnerable servers.
    • In log4j versions from 2.10 to 2.14.1:
      • Set the system property log4j2.formatMsgNoLookups to true, or
      • Remove the JndiLookup class from the classpath. For example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class