Contact Us
Call us
Offices
Email
United States
+1 646 893 3042
Accounts receivable department
+1 646 974 0772
All other
+32 2 793 02 19
North America: USA and Canada
Collibra Inc.
61 Broadway, 31st Floor
New York, NY 10006 - USA
EMEA: Belgium
Collibra NV
Picardstraat 11 B 205,
1000 Brussels - BELGIUM
View all
Register for access
Register for access
  • Dashboard
  • University
  • Data Citizens
  • Marketplace
  • Product Resources
  • Support
  • Developer Portal
By signing up you agree to Collibra's Privacy Policy.
My Profile
John Smith
name@company.com
Data Scientist, USA
Interests
Cloud-Ready Data
Digital Transformation
Data Governance

Last updated on: December 2nd, 2022 at 1:30PM EST

Title: MI-20221129-2 - Mitigated: Edge Connectivity Issues / Degradation

You may be experiencing connectivity issues with Edge sources at this time. We’ve identified the issue and have a workaround available for you to deploy. Please contact Collibra Support by opening a case and our support team will work with you to resolve the issue.

Regions Affected: All
Deployments Affected: Selected Recently Migrated Deployments
CSP: All
Symptom(s): Edge capability degradation or unavailability.
Incident Start Time: Nov 23, 2022
Incident End Time: 12:00 Noon ET Nov 29, 2022

Recommendations:

  • Collibra has provided a workaround to resolve this issue
  • Click this link for further instructions on deploying the fix
  • Open a Support ticket with your Edge installation details if you require further assistance

There is currently no impact to the overall platform (CDIC/DGC).

Last updated on: November 28th, 2022 at 3:00 PM EST

Apache Shiro Authentication Bypass Vulnerability (CVE-2022-40664)

Apache recently issued a security notice disclosing an identity authentication bypass vulnerability (CVE-2022-40664) in Apache Shiro versions earlier than 1.10.0.

Apache Shiro could allow a remote attacker to bypass security restrictions when forwarding or including via RequestDispatcher. A remote attacker can send a specially crafted HTTP request to bypass the authentication process and gain unauthorized access to the application.

Collibra does not use forwarding or including via RequestDispatcher in its source code, and is therefore not vulnerable to this issue.

Whilst Collibra are not using the vulnerable functionality in its products, Collibra in any case plans to upgrade Apache Shiro to a non-vulnerable version in a Collibra release during Q1 2023.

Last updated on: June 10th, 2022 at 3:30 PM EST

AWS Service Degradation within the US-EAST-1 Region

AWS notified Collibra of a period of service degradation between 18:01PM PDT and 21:25PM PDT on 6/9/22 impacting only AWS service APIs in the US-EAST-1 region. Collibra Cloud Operations did not detect service degradation on Collibra environments in this region during that timeframe. However, if you believe your environment was impacted, please open a Support ticket referencing this incident for further follow-up.

This is the AWS communication that CloudOps received - which is publicly available: 6:01 PM PDT on 6/9/22, we experienced elevated error rates and latencies for AWS services within the US-EAST-1 Region. The issue affected AWS service APIs, with no impact to data plane services such as EC2 instances, EBS volumes, or Elastic Load Balancers. We started to see recovery at 7:55 PM PDT and were fully recovered by 9:25 PM PDT. The issue has been resolved and the service is operating normally.

Last updated on: April 8th, 2022 at 5:00 PM EST

Spring4Shell Vulnerabilities

Collibra is committed to ensuring transparency and trust. To that end, we proactively monitor and respond to threats that might impact our products and services.

Collibra is aware of the vulnerabilities involving, Spring4Shell, comprised of CVE-2022-22965 and CVE-2022-22963. CVE-2022-22965 involves vulnerabilities impacting Spring WebMVC and Spring WebFlux applications running on Java 9 and later and exposes the applications to the possibility of remote code execution (RCE). CVE-2022-22963 impacts the Spring Expression Language (SpEL) and can expose applications to the possibility of remote code execution (RCE).

We are continuously monitoring and evaluating these vulnerabilities.

Summary of impact for Collibra

Based on initial review of Collibra products, the impact assessment is as follows:

Collibra Proprietary Software

Product - GA Only Impacted by CVE-2022-22965 Impacted by CVE-2022-22963
Collibra Data Intelligence Cloud (DGC) No No
DGC On-Premise No No
Collibra Data Governance No No
Collibra Data Privacy No No
Collibra Data Catalog No No
Collibra Data Lineage No No
Collibra Data Quality, On-Premises No No
Collibra Data Quality, Cloud No No
Collibra Insights No No
Collibra Edge No¹ No
Collibra Job Server, On-Premise No No
Collibra Job Server, Cloud No No
¹Collibra Edge is using the vulnerable version of Spring Framework. Collibra Edge does not expose the vulnerable services therefore there is no risk. Out of abundance of caution, Collibra will issue a patch to update the Spring Framework in the upcoming April release.

Third Party Software

Collibra has conducted an initial review of the key third party software embedded in our product offerings and found no impact from Spring4Shell vulnerabilities.

Next Steps

An update to this incident will be posted if there is a change to the status.

Last updated on: January 19, 2022 at 5:00 PM EST

Vulnerability with Apache Log4j

Collibra is aware of the vulnerabilities with Apache Log4j, a Java logging library. As Collibra Security continues to monitor our software and systems for any impact from this vulnerability, the status below may change. Please continue to monitor this page for our latest updates.

Apache Log4j vulnerabilities as designated by Mitre:

CVE ID Date Discovered
CVE-2021-44228 December 10, 2021
CVE-2021-45046 December 14, 2021
CVE-2021-45105 December 18, 2021

Summary of impact for Collibra related to CVE-2021-44228

After a comprehensive review of Collibra products, Collibra identified that Collibra Data Quality was impacted and a patch to fix the vulnerability was issued on December 11, 2021. Through our further assessments, it was determined that all Collibra proprietary software code within Collibra Data Intelligence Cloud (formerly DGC) does not leverage vulnerable versions of Log4j (versions 2.0 to 2.14.1).

We are continuing to assess third party software and libraries related to CVE-2021-44228 and are completing the necessary updates. In the interim, we are actively developing and providing mitigations to protect our customers.

Summary of impact for Collibra related to CVE-2021-45046

Collibra is aware of the vulnerability related to Apache Log4j 2.15.0. Please see below the status of Collibra products and third party software impacted and solutions provided.

Summary of impact for Collibra related to CVE-2021-45105

Collibra has assessed the impact on its third party software, Elasticsearch, against the new found vulnerability in Log4j version 2.16.0, CVE-2021-45105. Please see below the status of third party software impacted and solutions provided.

Recommendation: The current guidance to customers is to continue to implement the patch made available for their applicable DGC on-premises versions using the guidance for Elasticsearch below. The patch remediates the risk from the identified vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. Your vulnerability scanners may produce false positive results indicating your systems are vulnerable due to the inclusion of Log4j versions below 2.17; however, the recommended patches from Collibra will protect against the currently described CVEs.

We are continuing to assess third party software and libraries related to Log4j and will update information here as needed.

The below tables contain our most up-to-date guidance on our products.

Collibra Proprietary Software

Product - GA Only Impacted by CVE-2021-44228 Impacted by CVE-2021-45046 Impacted by CVE-2021-45105
Collibra Data Intelligence Cloud No No No
DGC On-Premises No No No
Collibra Data Governance No No No
Collibra Data Privacy No No No
Collibra Data Catalog No No No
Collibra Data Lineage No No No
Collibra Data Quality, On-Premises Yes, fix complete (see instructions) Yes, fix complete (see instructions) Yes, fix complete (see instructions)
Collibra Data Quality, Cloud Yes, fix complete (no action required) Yes, fix complete (no action required) Yes, fix complete (no action required)
Collibra Insights No No No
Collibra Edge No¹ No¹ No¹
Collibra Job Server, On-Premises No² No² No²
Collibra Job Server, Cloud No² No² No²

Third Party Software

Collibra is currently evaluating third party software embedded in our product offerings and further updates will be provided as more is known.

We have determined the following third party software are impacted:

Third Party Software Collibra Product Impacted Fix Status
Elasticsearch, On-Premises DGC On-Premises,
any version earlier than 5.7.10
Complete:
Manual patch process
Elasticsearch 6.8.14 to.7.12.2
See Linux instructions
See Windows instructions
DGC On-Premises
5.7.11-1
Complete:
Standard patch process
Elasticsearch 7.16.1 (release notes)
Note: Please follow the standard installation process
DGC On-Premises
5.7.10-2
Complete:
Standard patch process
Elasticsearch 7.16.1 (release notes)
Note: Please follow the standard installation process
DGC On-Premises
5.7.11-2
Complete:
Standard patch process
Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Note: Please follow the standard installation process
DGC On-Premises
5.7.10-3
Complete:
Standard patch process
Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Note: Please follow the standard installation process
Elasticsearch, Cloud Collibra Data Intelligence Cloud
2021.11 to 2021.04
Completed on Dec. 13, 2021:
Remediated Elasticsearch versions
6.8.14 to 7.12.1
Collibra Data Intelligence Cloud
2021.09.3
Completed on Dec. 22 and 23, 2021:
Standard cloud deployment
Elasticsearch 7.16.1 (release notes)
Collibra Data Intelligence Cloud
2021.09.4
Completed on Jan. 16, 2022:
Standard cloud deployment
Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Collibra Data Intelligence Cloud
2021.10.2
Completed on Dec. 19, 2021:
Standard cloud deployment
Elasticsearch 7.16.1 (release notes)
Collibra Data Intelligence Cloud
2021.10.3
Completed on Jan. 16, 2022:
Standard cloud deployment
Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Collibra Data Intelligence Cloud
2021.11.2
Completed on Dec. 19, 2021:
Standard cloud deployment
Elasticsearch 7.16.1 (release notes)
Collibra Data Intelligence Cloud
2021.11.3
Completed on Jan. 9, 2022:
Standard cloud deployment
Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Mulesoft Collibra Connect Complete:
Instructions provided by Mulesoft

Collibra Marketplace Assets:

Please navigate to Collibra Marketplace for updates, fixes and new releases related to any potential Log4j vulnerabilities.

Collibra Beta Products

Please consult your Customer Success Manager or the Collibra contact you are working with on the beta test.

Next steps:

Collibra Security highly recommends customers to follow the best practices within their own environments to help with mitigations and workarounds to protect their applications.

Customers should also check whether any other (non-Collibra) software they are running may be impacted and check in with applicable vendors for available patches.

Collibra Security will continue to provide updates as necessary in this webpage.

Further updates to this incident will be posted as needed.

¹Collibra Edge includes log4j-*.jar libraries. However, the vulnerability is neutralized because log4j-core is not included. Please note that vulnerability scanning tools may report false positives as a result.
²Collibra Jobserver includes a Log4j library that is not impacted by CVE-2021-44228 or CVE-2021-45046. Jobserver is not using the functionality related to CVE-2020-9488 and CVE-2019-17571 and therefore not vulnerable. Please note that vulnerability scanning tools may report false positives as a result. Collibra is working on deprecating this library in the future.

Current status by product

Incident date

UTC

Severity

Summary

Resolution date

UTC

Nov 11, 2022 at 02:09MI-20221111: Collibra engineering identified and resolved an issue with non-production instances on 2022.11 being intermittently inaccessibleNov 11, 2022 at 10:00
Oct 16, 2022 at 23:00MI-20221016: Collibra engineering identified and resolved an issue with some non-prod Cloud instances becoming inaccessible.Oct 17, 2022 at 02:00
  • Outage
  • Disruption

Status Dashboard is temporarily unavailable. Please try again later.

Products

Americas

North, Central and South

EMEA

Europe, Middle East and Africa

APAC

Asia Pacific

GovCloud

US East

Data Governance
Data Catalog
Data Classification
Data Lineage
Metadata Connectors
Insights
Data Privacy
  • Available
  • Outage
  • Disruption
  • N/A

*Note: the status above indicates availability of the majority of environments in the listed regions, excluding monthly planned downtime.