topic Re: Remove default log4j version and add a new version globally in Talend Studio

Remove default log4j version and add a new version globally

heshkaru — Tue, 01 Mar 2022 10:27:22 GMT

Hi,

Currently talend uses log4j 2.12 version which has the latest vulnerability discovered. As I can see for each job there is a separate POM file and all those files are using that log4j version. Do I need to manually go to each and every POM file and change it or is there a easy way to change this version to new log4j 2.17.1 version.

https://www.secureworks.com/blog/log4j-vulnerability-faqs# :~:text=rated%20moderate%20severity.-,Version%202.17.,was%20disclosed%20on%20December%2016.

Thank you

Re: Remove default log4j version and add a new version globally

Anonymous — Wed, 02 Mar 2022 04:29:43 GMT

Hello,

Could you please indicate which talend solution are you using?

Here is online documentation about: TalendHelpCenter: Official statement and remediation efforts for Log4j2 security issue (CVE-2021-44228)

Best regards

Sabrina

Re: Remove default log4j version and add a new version globally

heshkaru — Wed, 02 Mar 2022 05:37:10 GMT

Hi,

Im using talend openstudio 7.4.1.

This is regarding the latest vulnerabilitiy discovered in dec 2021.

CVE-2021-44228 and CVE-2021-45046

When I build the job it automatically takes log4j 2.12.1 version. So I need to manually add 2.17.1 after building the job.

Is there a way to change the default log4j version to new version rather than adding 'nolookups'

Thank you

Re: Remove default log4j version and add a new version globally

Anonymous — Wed, 02 Mar 2022 05:53:08 GMT

Hello,

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

For your use case, you could install the module externally from maven repository.

1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j

2.select the appropriate jar which needs to be upgraded

3.select the module in TOS

4.Click Detect and install module

Let us know if you can see the latest jar exist when you build the job.

Hope this will help.

Best regards

Sabrina

Re: Remove default log4j version and add a new version globally

heshkaru — Wed, 02 Mar 2022 06:25:38 GMT

How do i access this screen.

I think this way is correct.

Thank you

Re: Remove default log4j version and add a new version globally

Anonymous — Wed, 02 Mar 2022 07:08:13 GMT

Hello,

Let us know if these screenshots are broken from your side.

Best regards

Sabrina

Re: Remove default log4j version and add a new version globally

heshkaru — Wed, 02 Mar 2022 08:52:03 GMT

Fixed it.

Thank you very much

Re: Remove default log4j version and add a new version globally

Anonymous — Thu, 03 Mar 2022 01:55:18 GMT

Hello,

Great it works. Feel free to let us know if there is any further help we can give.

Best regards

Sabrina

Re: Remove default log4j version and add a new version globally

toshi1 — Fri, 01 Apr 2022 07:07:55 GMT

Hello,

can you help me please, it's very important and time critical for our Company.

We need a TOS with log4j 2.x Version whatever DI or BD.

Thank you

Torsten

mailto:torsten.t.schroeder@deutschebahn.com

Re: Remove default log4j version and add a new version globally

heshkaru — Fri, 01 Apr 2022 07:42:51 GMT

@Torsten Schröder Hi,

This is the documentation I did for the Log4j Fix

Latest vulnerability related to Log4j is found in below.

https://www.secureworks.com/blog/log4j-vulnerability-faqs#:~:text=rated%20moderate%20severity.-,Version%202.17.,was%20disclosed%20on%20December%2016.

RCA: After Talend Zip file is deployed to server, vulnerabilites are scanned from Talend Libraries.

Fix Number 1 : Remove dependencies from Talend Studio itself (Best Option)

Open Talend Studio
Navigate to Window → Show View → Other → Modules and click open.
Module window will be displayed and type “log4j“ in the search bar.

4. Select the necessary dependency and click on the Maven URI.

5. A popup will be open

For windows users all the inbuild dependencies are stored in “C:\Program Files (x86)\TOS_DI-7.4.1\studio\plugins\org.talend.libraries.apache_7.4.1.20201127_0205\lib” folder. Navigate to that folder and delete the old jar version and paste the new jar version.

6. Click … and add the new jar file.

7. Navigate to the folder mention in red color above and select the new jar version.

8. Click “Detect the module install status“ and Click OK.

9. This way you can easily change/update dependencies provided by talend.

10. Once you build the job and extract it and navigate to 'libs' folder you can see that newly updated versions are reflected to the libraries.

Re: Remove default log4j version and add a new version globally

toshi1 — Wed, 06 Apr 2022 15:36:09 GMT

Hello, -> all is fixed

1st, Thanks for the nice and quick reply from @Heshan Karunaratne - It saved me, and helped a lot.

2nd. For those out there who also struggle with the security themes of log4j 1.x and 2.x hereafter my crucial points that have brought success.

1) I'd to understand the substitution from - to with the bridging libs

s.a. slf4j-log4j bridge with log4j 2.8.1 siehe Antwort
- slf4j-log4j12 Bridge -> altes Binding -> neues: log4j-slf4j-impl
  - log4j-api (2.8.1)
  - log4j-core (2.8.1)
  - log4j-slf4j-impl (2.8.1)
  - slf4j-api (1.7.25)
  - zusätzlich Bridge to log4j
    - log4j-1.2-api (2.8.1)
Benötigte Bibliotheken von SLF4J und Log4j 2.x -> in MVN log4j aktuelle Versionsstände ermitteln
- 2.17.2
  - log4j-core
  - log4j-api
  - log4j-slf4j-impl
    - Log4j 2 SLF4J Binding
      - log4j-slf4j-impl should be used with SLF4J 1.7.x releases or older.
      - log4j-slf4j18-impl should be used with SLF4J 1.8.x releases or newer.
      - NOTE not to take simultanously log4j-to-slf4j-2.0.jar
  - log4j-1.2-api
- 1.7.36
  - slf4j-api

2) I'd to learn, that with my old TOS BD 7.2.1 success is to difficult to achieve

I'm exported the TOS BD 7.2.1 items and import them to TOS DI 8.0.1, that helped me a lot.

I wish to Thanks all of you, you're a great community

Torsten

Re: Remove default log4j version and add a new version globally

heshkaru — Wed, 06 Apr 2022 16:25:33 GMT

My pleasure