TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities

asheppardwork — Fri, 15 Nov 2024 22:14:04 GMT

Please help. How can I update the necessary cxf files and not break all the rest of the code?

We have Talend Open Studio Big Data 8.0.1 on Windows 2016 using tRestClient module to connect to a server. Recently our security group has made me update several jars due to the CVE-2022-46364 vulnerabilities. I have updated CXF-Core, CXF-RT-databinding-jaxb, CXF-RT-RS-client, and CXF-RT-RS-extension-providers to the latest version(s) 4.0.0. However, I now get the error - The type jakarta.ws.rs.ext.MessageBodyWriter cannot be resolved. It is indirectly referenced from required .class files. After doing some searching I replaced the jakarta.ws.rs.api with version 3.1.0 (was 2.1.0) and still have this error. In the code the errors are highlighted as the .getResponse() and .readfrom() classes in the following lines.

<code>

int webClientResponseStatus_tRESTClient_2 = webClient_tRESTClient_2.getResponse().getStatus();

if (webClientResponseStatus_tRESTClient_2 >= 300) {

throw new javax.ws.rs.WebApplicationException(webClient_tRESTClient_2.getResponse());

}

</code>

and in the following

<code>

if (!org.apache.cxf.common.util.StringUtils.isEmpty(contentLength)

&& Integer.valueOf(contentLength) <= 0) {

try {

return org.dom4j.DocumentHelper.parseText("<root/>");

} catch (org.dom4j.DocumentException e_tRESTClient_2) {

e_tRESTClient_2.printStackTrace();

}

return null;

}

return super.readFrom(cls, type, anns, mt, headers, is);

}

});

</code>

Re: TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities

Anonymous — Mon, 09 Jan 2023 07:06:00 GMT

Hello,

Regarding of this Apache cxf security issues:

https://nvd.nist.gov/vuln/detail/CVE-2022-46363

It seems that it only applies if a CXF service is misconfigured, it is not a real-world vulnerability.

For vulnerabilities with CVE numbers CVE-2022-46363 and CVE-2022-46364, talend patch will be out by the end of this month tentatively as the 2023-01 release in talend subscription solution.

I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products.

With talend open studio, we will check it with our RD team to see if there is any mitigation instructions for existing products (talend open studio V 8.0) and will keep you posted as long as there is any information about the next release of Open Studio.

Best regards

Sabrina

topic TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities in Talend Studio

TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities

Re: TOS 8 tRestClient error with indirectly referenced class after update of adobe cxf-rt-rs, databinding, client jars relating to CVE-2022-46364 vulnerabilities