Important Update: Security Fix for Custom Data Commons

[Dan Noble]

Data Commons Partners,

We have recently identified a security vulnerability in the Custom Data Commons platform.  Under certain conditions, malicious API requests could cause your server to restart, resulting in brief 1–2 minutes of downtime.

Custom Data Commons instances built prior to December 2, 2024, are affected. To address this, we strongly recommend updating your Custom Data Commons instance to the latest version of the customdc_stable branch. This update will mitigate the vulnerability and ensure the stability of your system.

Please follow the step-by-step instructions provided below to complete the update process.

If you have questions or require guidance, please reply to this email and a member of our team will assist you.

Step-by-Step Instructions to Remedy the Problem

1. Update the Data Commons Web Container Image

1. Pull the latest code from the customdc_stable branch.
2. Follow the build instructions to rebuild your custom images.
3. Deploy the new image to your Data Commons web container service in Cloud Run:
• Replace the Cloud Run service's container image with your newly built image.
• Deploy a new revision of the service.

2. Update the Data Commons Data Job

1. Verify that your Cloud Run data job is configured to use one of the following container images:
• gcr.io/datcom-ci/datacommons-data:stable
  OR
• gcr.io/datcom-ci/datacommons-data:latest
2. If not, update the container image URL in the Cloud Run job configuration.

Thank you for your help in maintaining the integrity of our platform.

Best regards,

Dan Noble

Data Commons Team