At the end of last year, the security issues in log4j prompted an examination of our experimentation-client library. While it was not using the vulnerable version of log4j, we release a new version on Jan 26 that completely removed log4j as a dependency. We really hope that you can upgrade the library version to the current version (0.21.3), especially it involves the security update on this new library version by removing the deprecated dependencies (BigTable and log4j dependency) that we don’t use anymore since last year.
We are going to remove the older version by the end of May 2022. In that case, if you haven’t upgraded the version after the deadline, you might not be able to do any experimentation.
Additionally, related to the previous post regarding to exposed SAs:
During the upgrade, please kindly check that the above SAs are not used to authenticate EXP platform. We will provide replacement service accounts should those accounts are used.
If your team has been upgraded the experimentation-client library to the latest version, please help us to fill the EXP-Client-Ver, Svc-acc-used, and repo-link on this Google Sheet.
Remove the deprecated dependency (BigTable library, which using log4j dependency underneath it) for better security.
experimentation-client BE library deprecation for the older version.
#exp-platform channel and mention @data-mlep) first prior to upgrading the library. We want to list all the clients that are using the experimentation-client library for better coordination in the future.
BigTable usage, config, and implementation on your code, such as: bigtableConfig, getBigtableConfig
experimentation-client on your code to 0.21.3.
If you have any questions, please discuss in #exp-platform and mention @data-mlep.