Below you will find the status information for each product and service within Collibra Data Intelligence Cloud.
Last updated on: Jun 10th, 2022 at 3:30 PM EST
AWS notified Collibra of a period of service degradation between 18:01PM PDT and 21:25PM PDT on 6/9/22 impacting only AWS service APIs in the US-EAST-1 region. Collibra Cloud Operations did not detect service degradation on Collibra environments in this region during that timeframe. However, if you believe your environment was impacted, please open a Support ticket referencing this incident for further follow-up.
This is the AWS communication that CloudOps received - which is publicly available: 6:01 PM PDT on 6/9/22, we experienced elevated error rates and latencies for AWS services within the US-EAST-1 Region. The issue affected AWS service APIs, with no impact to data plane services such as EC2 instances, EBS volumes, or Elastic Load Balancers. We started to see recovery at 7:55 PM PDT and were fully recovered by 9:25 PM PDT. The issue has been resolved and the service is operating normally.
Last updated on: April 8th, 2022 at 5:00 PM EST
Collibra is committed to ensuring transparency and trust. To that end, we proactively monitor and respond to threats that might impact our products and services.
Collibra is aware of the vulnerabilities involving, Spring4Shell, comprised of CVE-2022-22965 and CVE-2022-22963. CVE-2022-22965 involves vulnerabilities impacting Spring WebMVC and Spring WebFlux applications running on Java 9 and later and exposes the applications to the possibility of remote code execution (RCE). CVE-2022-22963 impacts the Spring Expression Language (SpEL) and can expose applications to the possibility of remote code execution (RCE).
We are continuously monitoring and evaluating these vulnerabilities.
Based on initial review of Collibra products, the impact assessment is as follows:
Product - GA Only | Impacted by CVE-2022-22965 | Impacted by CVE-2022-22963 |
---|---|---|
Collibra Data Intelligence Cloud (DGC) | No | No |
DGC On-Premise | No | No |
Collibra Data Governance | No | No |
Collibra Data Privacy | No | No |
Collibra Data Catalog | No | No |
Collibra Data Lineage | No | No |
Collibra Data Quality, On-Premises | No | No |
Collibra Data Quality, Cloud | No | No |
Collibra Insights | No | No |
Collibra Edge | No¹ | No |
Collibra Job Server, On-Premise | No | No |
Collibra Job Server, Cloud | No | No |
Collibra has conducted an initial review of the key third party software embedded in our product offerings and found no impact from Spring4Shell vulnerabilities.
An update to this incident will be posted if there is a change to the status.
Last updated on: January 19, 2022 at 5:00 PM EST
Collibra is aware of the vulnerabilities with Apache Log4j, a Java logging library. As Collibra Security continues to monitor our software and systems for any impact from this vulnerability, the status below may change. Please continue to monitor this page for our latest updates.
Apache Log4j vulnerabilities as designated by Mitre:
CVE ID | Date Discovered |
---|---|
CVE-2021-44228 | December 10, 2021 |
CVE-2021-45046 | December 14, 2021 |
CVE-2021-45105 | December 18, 2021 |
After a comprehensive review of Collibra products, Collibra identified that Collibra Data Quality was impacted and a patch to fix the vulnerability was issued on December 11, 2021. Through our further assessments, it was determined that all Collibra proprietary software code within Collibra Data Intelligence Cloud (formerly DGC) does not leverage vulnerable versions of Log4j (versions 2.0 to 2.14.1).
We are continuing to assess third party software and libraries related to CVE-2021-44228 and are completing the necessary updates. In the interim, we are actively developing and providing mitigations to protect our customers.
Collibra is aware of the vulnerability related to Apache Log4j 2.15.0. Please see below the status of Collibra products and third party software impacted and solutions provided.
Collibra has assessed the impact on its third party software, Elasticsearch, against the new found vulnerability in Log4j version 2.16.0, CVE-2021-45105. Please see below the status of third party software impacted and solutions provided.
Recommendation: The current guidance to customers is to continue to implement the patch made available for their applicable DGC on-premises versions using the guidance for Elasticsearch below. The patch remediates the risk from the identified vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105. Your vulnerability scanners may produce false positive results indicating your systems are vulnerable due to the inclusion of Log4j versions below 2.17; however, the recommended patches from Collibra will protect against the currently described CVEs.
We are continuing to assess third party software and libraries related to Log4j and will update information here as needed.
The below tables contain our most up-to-date guidance on our products.
Product - GA Only | Impacted by CVE-2021-44228 | Impacted by CVE-2021-45046 | Impacted by CVE-2021-45105 |
---|---|---|---|
Collibra Data Intelligence Cloud | No | No | No |
DGC On-Premises | No | No | No |
Collibra Data Governance | No | No | No |
Collibra Data Privacy | No | No | No |
Collibra Data Catalog | No | No | No |
Collibra Data Lineage | No | No | No |
Collibra Data Quality, On-Premises | Yes, fix complete (see instructions) | Yes, fix complete (see instructions) | Yes, fix complete (see instructions) |
Collibra Data Quality, Cloud | Yes, fix complete (no action required) | Yes, fix complete (no action required) | Yes, fix complete (no action required) |
Collibra Insights | No | No | No |
Collibra Edge | No¹ | No¹ | No¹ |
Collibra Job Server, On-Premises | No² | No² | No² |
Collibra Job Server, Cloud | No² | No² | No² |
Collibra is currently evaluating third party software embedded in our product offerings and further updates will be provided as more is known.
We have determined the following third party software are impacted:
Third Party Software | Collibra Product Impacted | Fix Status |
---|---|---|
Elasticsearch, On-Premises | DGC On-Premises, any version earlier than 5.7.10 |
Complete: Manual patch process Elasticsearch 6.8.14 to.7.12.2 See Linux instructions See Windows instructions |
DGC On-Premises 5.7.11-1 |
Complete: Standard patch process Elasticsearch 7.16.1 (release notes) Note: Please follow the standard installation process |
|
DGC On-Premises 5.7.10-2 |
Complete: Standard patch process Elasticsearch 7.16.1 (release notes) Note: Please follow the standard installation process |
|
DGC On-Premises 5.7.11-2 |
Complete: Standard patch process Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) Note: Please follow the standard installation process |
|
DGC On-Premises 5.7.10-3 |
Complete: Standard patch process Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) Note: Please follow the standard installation process |
|
Elasticsearch, Cloud | Collibra Data Intelligence Cloud 2021.11 to 2021.04 |
Completed on Dec. 13, 2021: Remediated Elasticsearch versions 6.8.14 to 7.12.1 |
Collibra Data Intelligence Cloud 2021.09.3 |
Completed on Dec. 22 and 23, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes) |
|
Collibra Data Intelligence Cloud 2021.09.4 |
Completed on Jan. 16, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) |
|
Collibra Data Intelligence Cloud 2021.10.2 |
Completed on Dec. 19, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes) |
|
Collibra Data Intelligence Cloud 2021.10.3 |
Completed on Jan. 16, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) |
|
Collibra Data Intelligence Cloud 2021.11.2 |
Completed on Dec. 19, 2021: Standard cloud deployment Elasticsearch 7.16.1 (release notes) |
|
Collibra Data Intelligence Cloud 2021.11.3 |
Completed on Jan. 9, 2022: Standard cloud deployment Elasticsearch 7.16.2 (contains log4j 2.17.0) (release notes) |
|
Mulesoft | Collibra Connect | Complete: Instructions provided by Mulesoft |
Please navigate to Collibra Marketplace for updates, fixes and new releases related to any potential Log4j vulnerabilities.
Please consult your Customer Success Manager or the Collibra contact you are working with on the beta test.
Collibra Security highly recommends customers to follow the best practices within their own environments to help with mitigations and workarounds to protect their applications.
Customers should also check whether any other (non-Collibra) software they are running may be impacted and check in with applicable vendors for available patches.
Collibra Security will continue to provide updates as necessary in this webpage.
Further updates to this incident will be posted as needed.
¹Collibra Edge includes log4j-*.jar libraries. However, the vulnerability is neutralized because log4j-core is not included. Please note that vulnerability scanning tools may report false positives as a result.
Incident dateUTC |
Severity |
Summary |
Resolution dateUTC |
---|---|---|---|
Jun 29, 2022 at 10:00 | MI-20220629: All Regions - Collibra Engineering discovered and resolved an incident with Edge deployments going into an unhealthy state for 90 minutes | Jun 29, 2022 at 11:30 | |
May 31, 2022 at 03:59 | MI-20220531: All Regions - Disruption to workflow notification emails impacting Collibra Data Intelligence Cloud instances | May 31, 2022 at 09:34 | |
Mar 27, 2022 at 15:00 | Maintenance window was extended to 5:00 PM ET from the standard end time of 11 AM ET. Impact to customer is limited to 20 minute downtime during the upgrade beyond the advertised 11 AM ET. | Mar 27, 2022 at 17:00 | |
Mar 21, 2022 at 02:00 | MI:20220321: An issue with our third party software vendor JFrog (JFrog Artifactory), used internally by Edge and Catalog products caused a disruption to our Servcies in all regions. | Mar 21, 2022 at 14:00 | |
Dec 22, 2021 at 13:00 | MI-20211222: Collibra Service Outage caused by loss of power in our Cloud Service Provider AWS’s Data Center affected availability and connectivity to EC2 instances in use by Collibra within AWS AMERS Region | Dec 22, 2021 at 22:57 |
Products |
AmericasNorth, Central and South |
EMEAEurope, Middle East and Africa |
APACAsia Pacific |
GovCloudUS East |
---|---|---|---|---|
Data Governance | ||||
Data Catalog | ||||
Data Classification | ||||
Data Lineage | ||||
Metadata Connectors | ||||
Insights | ||||
Data Privacy |
*Note: the status above indicates availability of the majority of environments in the listed regions, excluding monthly planned downtime.