Sagemaker DLC and Log4j

Hi all,

I asked a question in the Discord a few days ago and was told to move it here instead.

In the wake of the Log4j vulnerability, should we expect any updated versions of the HuggingFace Deep Learning Container images used for the SageMaker integration, or have y’all confirmed that none of your versions are vulnerable in this way?

All the best,


Hey @charlesatftl,

I was in contact with AWS and the SageMaker Team and got the following response from Yogesh Sharma Engineering Manager for the DLCs

We ran a canary scan to exercise caution and find out if HF DLCs are impacted by the log4j vulnerability. I can confirm that both Hugging Face TensorFlow and Hugging Face PyTorch DLCs are not impacted by the log4j issue.
Some of DLC’s upstream libraries use log4j v1.2 which is old but is not impacted by this CVE (it impacts v2.x). Teams at AWS have decided that we will upgrade the log4j version early January to v2.16 just to be on the latest safe version.

Let us know if you have further questions, thanks.

1 Like