Status dashboard

Last updated on: Jun 10th, 2022 at 3:30 PM EST

AWS notified Collibra of a period of service degradation between 18:01PM PDT and 21:25PM PDT on 6/9/22 impacting only AWS service APIs in the US-EAST-1 region. Collibra Cloud Operations did not detect service degradation on Collibra environments in this region during that timeframe. However, if you believe your environment was impacted, please open a Support ticket referencing this incident for further follow-up.

This is the AWS communication that CloudOps received - which is publicly available: 6:01 PM PDT on 6/9/22, we experienced elevated error rates and latencies for AWS services within the US-EAST-1 Region. The issue affected AWS service APIs, with no impact to data plane services such as EC2 instances, EBS volumes, or Elastic Load Balancers. We started to see recovery at 7:55 PM PDT and were fully recovered by 9:25 PM PDT. The issue has been resolved and the service is operating normally.

Last updated on: April 8th, 2022 at 5:00 PM EST

Spring4Shell Vulnerabilities

Collibra is committed to ensuring transparency and trust. To that end, we proactively monitor and respond to threats that might impact our products and services.

Collibra is aware of the vulnerabilities involving, Spring4Shell, comprised of CVE-2022-22965 and CVE-2022-22963. CVE-2022-22965 involves vulnerabilities impacting Spring WebMVC and Spring WebFlux applications running on Java 9 and later and exposes the applications to the possibility of remote code execution (RCE). CVE-2022-22963 impacts the Spring Expression Language (SpEL) and can expose applications to the possibility of remote code execution (RCE).

We are continuously monitoring and evaluating these vulnerabilities.

Summary of impact for Collibra

Based on initial review of Collibra products, the impact assessment is as follows:

Collibra Proprietary Software

Product - GA Only	Impacted by CVE-2022-22965	Impacted by CVE-2022-22963
Collibra Data Intelligence Cloud (DGC)	No	No
DGC On-Premise	No	No
Collibra Data Governance	No	No
Collibra Data Privacy	No	No
Collibra Data Catalog	No	No
Collibra Data Lineage	No	No
Collibra Data Quality, On-Premises	No	No
Collibra Data Quality, Cloud	No	No
Collibra Insights	No	No
Collibra Edge	No¹	No
Collibra Job Server, On-Premise	No	No
Collibra Job Server, Cloud	No	No

¹Collibra Edge is using the vulnerable version of Spring Framework. Collibra Edge does not expose the vulnerable services therefore there is no risk. Out of abundance of caution, Collibra will issue a patch to update the Spring Framework in the upcoming April release.

Third Party Software

Collibra has conducted an initial review of the key third party software embedded in our product offerings and found no impact from Spring4Shell vulnerabilities.

Next Steps

An update to this incident will be posted if there is a change to the status.

Last updated on: January 19, 2022 at 5:00 PM EST

Vulnerability with Apache Log4j

Collibra is aware of the vulnerabilities with Apache Log4j, a Java logging library. As Collibra Security continues to monitor our software and systems for any impact from this vulnerability, the status below may change. Please continue to monitor this page for our latest updates.

Apache Log4j vulnerabilities as designated by Mitre:

CVE ID	Date Discovered
CVE-2021-44228	December 10, 2021
CVE-2021-45046	December 14, 2021
CVE-2021-45105	December 18, 2021

Summary of impact for Collibra related to CVE-2021-44228

After a comprehensive review of Collibra products, Collibra identified that Collibra Data Quality was impacted and a patch to fix the vulnerability was issued on December 11, 2021. Through our further assessments, it was determined that all Collibra proprietary software code within Collibra Data Intelligence Cloud (formerly DGC) does not leverage vulnerable versions of Log4j (versions 2.0 to 2.14.1).

We are continuing to assess third party software and libraries related to CVE-2021-44228 and are completing the necessary updates. In the interim, we are actively developing and providing mitigations to protect our customers.

Summary of impact for Collibra related to CVE-2021-45046

Collibra is aware of the vulnerability related to Apache Log4j 2.15.0. Please see below the status of Collibra products and third party software impacted and solutions provided.

Summary of impact for Collibra related to CVE-2021-45105

Collibra has assessed the impact on its third party software, Elasticsearch, against the new found vulnerability in Log4j version 2.16.0, CVE-2021-45105. Please see below the status of third party software impacted and solutions provided.

Recommendation: The current guidance to customers is to continue to implement the patch made available for their applicable DGC on-premises versions using the guidance for Elasticsearch below. The patch remediates the risk from the identified vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. Your vulnerability scanners may produce false positive results indicating your systems are vulnerable due to the inclusion of Log4j versions below 2.17; however, the recommended patches from Collibra will protect against the currently described CVEs.

We are continuing to assess third party software and libraries related to Log4j and will update information here as needed.

The below tables contain our most up-to-date guidance on our products.

Collibra Proprietary Software

Product - GA Only	Impacted by CVE-2021-44228	Impacted by CVE-2021-45046	Impacted by CVE-2021-45105
Collibra Data Intelligence Cloud	No	No	No
DGC On-Premises	No	No	No
Collibra Data Governance	No	No	No
Collibra Data Privacy	No	No	No
Collibra Data Catalog	No	No	No
Collibra Data Lineage	No	No	No
Collibra Data Quality, On-Premises	Yes, fix complete (see instructions)	Yes, fix complete (see instructions)	Yes, fix complete (see instructions)
Collibra Data Quality, Cloud	Yes, fix complete (no action required)	Yes, fix complete (no action required)	Yes, fix complete (no action required)
Collibra Insights	No	No	No
Collibra Edge	No¹	No¹	No¹
Collibra Job Server, On-Premises	No²	No²	No²
Collibra Job Server, Cloud	No²	No²	No²

Third Party Software

Collibra is currently evaluating third party software embedded in our product offerings and further updates will be provided as more is known.

We have determined the following third party software are impacted:

Third Party Software	Collibra Product Impacted	Fix Status
Elasticsearch, On-Premises	DGC On-Premises, any version earlier than 5.7.10	Complete: Manual patch process Elasticsearch 6.8.14 to.7.12.2 See Linux instructions See Windows instructions
	DGC On-Premises 5.7.11-1	Complete: Standard patch process Elasticsearch 7.16.1 (release notes) Note: Please follow the standard installation process
	DGC On-Premises 5.7.10-2	Complete: Standard patch process Elasticsearch 7.16.1 (release notes) Note: Please follow the standard installation process
	DGC On-Premises 5.7.11-2	Complete: Standard patch process Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) Note: Please follow the standard installation process
	DGC On-Premises 5.7.10-3	Complete: Standard patch process Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) Note: Please follow the standard installation process
Elasticsearch, Cloud	Collibra Data Intelligence Cloud 2021.11 to 2021.04	Completed on Dec. 13, 2021: Remediated Elasticsearch versions 6.8.14 to 7.12.1
	Collibra Data Intelligence Cloud 2021.09.3	Completed on Dec. 22 and 23, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes)
	Collibra Data Intelligence Cloud 2021.09.4	Completed on Jan. 16, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
	Collibra Data Intelligence Cloud 2021.10.2	Completed on Dec. 19, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes)
	Collibra Data Intelligence Cloud 2021.10.3	Completed on Jan. 16, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
	Collibra Data Intelligence Cloud 2021.11.2	Completed on Dec. 19, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes)
	Collibra Data Intelligence Cloud 2021.11.3	Completed on Jan. 9, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes)
Mulesoft	Collibra Connect	Complete: Instructions provided by Mulesoft

Collibra Marketplace Assets:

Please navigate to Collibra Marketplace for updates, fixes and new releases related to any potential Log4j vulnerabilities.

Collibra Beta Products

Please consult your Customer Success Manager or the Collibra contact you are working with on the beta test.

Next steps:

Collibra Security highly recommends customers to follow the best practices within their own environments to help with mitigations and workarounds to protect their applications.

Customers should also check whether any other (non-Collibra) software they are running may be impacted and check in with applicable vendors for available patches.

Collibra Security will continue to provide updates as necessary in this webpage.

Further updates to this incident will be posted as needed.

¹Collibra Edge includes log4j-*.jar libraries. However, the vulnerability is neutralized because log4j-core is not included. Please note that vulnerability scanning tools may report false positives as a result.
²Collibra Jobserver includes a Log4j library that is not impacted by CVE-2021-44228 or CVE-2021-45046. Jobserver is not using the functionality related to CVE-2020-9488 and CVE-2019-17571 and therefore not vulnerable. Please note that vulnerability scanning tools may report false positives as a result. Collibra is working on deprecating this library in the future.

Incident date UTC	Summary	Resolution date UTC
Jun 29, 2022 at 10:00	MI-20220629: All Regions - Collibra Engineering discovered and resolved an incident with Edge deployments going into an unhealthy state for 90 minutes	Jun 29, 2022 at 11:30
May 31, 2022 at 03:59	MI-20220531: All Regions - Disruption to workflow notification emails impacting Collibra Data Intelligence Cloud instances	May 31, 2022 at 09:34
Mar 27, 2022 at 15:00	Maintenance window was extended to 5:00 PM ET from the standard end time of 11 AM ET. Impact to customer is limited to 20 minute downtime during the upgrade beyond the advertised 11 AM ET.	Mar 27, 2022 at 17:00
Mar 21, 2022 at 02:00	MI:20220321: An issue with our third party software vendor JFrog (JFrog Artifactory), used internally by Edge and Catalog products caused a disruption to our Servcies in all regions.	Mar 21, 2022 at 14:00
Dec 22, 2021 at 13:00	MI-20211222: Collibra Service Outage caused by loss of power in our Cloud Service Provider AWS’s Data Center affected availability and connectivity to EC2 instances in use by Collibra within AWS AMERS Region	Dec 22, 2021 at 22:57

Trust

Spring4Shell Vulnerabilities

Summary of impact for Collibra

Collibra Proprietary Software

Third Party Software

Next Steps

Vulnerability with Apache Log4j

Summary of impact for Collibra related to CVE-2021-44228

Summary of impact for Collibra related to CVE-2021-45046

Summary of impact for Collibra related to CVE-2021-45105

Collibra Proprietary Software

Third Party Software

Collibra Marketplace Assets:

Collibra Beta Products

Next steps:

Current status by product

Incident date

Severity

Summary

Resolution date

Status Dashboard is temporarily unavailable. Please try again later.

Products

Americas

EMEA

APAC

GovCloud

Products	Americas North, Central and South	EMEA Europe, Middle East and Africa	APAC Asia Pacific	GovCloud US East
Data Governance
Data Catalog
Data Classification
Data Lineage
Metadata Connectors
Insights
Data Privacy