topic Re: Log4j2 Vulnerability in Installing and Upgrading

Log4j2 Vulnerability

Yogesh0204 — Fri, 15 Nov 2024 23:23:09 GMT

Will the mitigation provided for the Talend Studio for Log4j "-Dlog4j2.formatMsgNoLookups=true" - will it work for Talend Open Studio 7.3, or any other way that help to mitigate the issue in TOS.

Re: Log4j2 Vulnerability

Anonymous — Thu, 23 Dec 2021 03:34:20 GMT

Hello,

Regarding of this response Publication Date: December 22, 2021 https://www.talend.com/security/incident-response/, remediation for Talend Open Source is not in scope. We are trying to work on remediation for talend open studio and will come back to you as soon as possible.

Best regards

Sabrina

Re: Log4j2 Vulnerability

veeaar — Thu, 23 Dec 2021 06:36:18 GMT

If i download the V8.0.1 talend open studio and migrate my jobs from 7.3.1 to the latest one will it fix the issue?

Re: Log4j2 Vulnerability

Anonymous — Thu, 23 Dec 2021 08:45:22 GMT

Hello,

I’m afraid Talend 8 version was released prior to the vulnerability being revealed.

Best regards

Sabrina

Re: Log4j2 Vulnerability

veeaar — Thu, 23 Dec 2021 14:51:13 GMT

Thanks Sabrina. My IT Security Team asked me to look into the R2021-12 (cumulative patch). Is this patch applicable for Talend Open Studio For Data Integration (7.3.1.20200219_1130)?

We are using the open studio and we have our production go live in 15 days

Could you please confirm what are the options we have at this time to fix the log4j issues for this?

Thanks in advance for your quick response

Re: Log4j2 Vulnerability

Anonymous — Fri, 24 Dec 2021 02:37:02 GMT

Hello,

We do not supply patches for the Open Studio releases. Patches are specific to Talend Service, the version of the Talend Service, the severity of the risk, and other mitigating controls Talend maintains.

You can find mitigation instructions for existing products here….

Publication Date: December 23, 2021: https://www.talend.com/security/incident-response/

As remediation for Talend Open Source is not in scope, we have already escalated it to our IT security team to see if there is any graceful workaround and solution for talend open studio and then come back to you as soon as possible.

Best regards

Sabrina

Re: Log4j2 Vulnerability

ABD2 — Mon, 27 Dec 2021 15:30:19 GMT

Hi,

Any news for Talend Open Studio 7.3 or 8.0 ?

When will it comes into your scope ?

In the meantime, is there a way for us to prevent TOS to include vulnerable log4j jar files into our builds (TOS do so even when log4j is not enabled for a project !) ?

Thanks in advance for your help

Re: Log4j2 Vulnerability

Anonymous — Tue, 28 Dec 2021 03:47:43 GMT

Hello,

We’re working on updating the TOS with the Log4j fix and will keep you update to your issue.

Meanwhile the mitigation steps that we have described in the Talend Help (incident response) apply to TOS as well.

https://www.talend.com/security/incident-response/

Best regards

Sabrina

Re: Log4j2 Vulnerability

Anonymous — Fri, 31 Dec 2021 06:55:03 GMT

Hello,

The mitigation steps are now located on help.talend.com: https://document-link.us.cloud.talend.com/talend_log4j2_cve_statement?lang=en&version=latest&env=prd

Which provides all the workarounds for studio.

Best regards

Sabrina

Re: Log4j2 Vulnerability

abcdmichel — Wed, 05 Jan 2022 09:05:46 GMT

For Talend Open Studio 7.3 or 8.0, are the mitigation steps proposed essential when our projects properties don't use log4j (Check Box not checked). I know we still have all the jar files generated in anyways.

Thanks in advance for the help.

Re: Log4j2 Vulnerability

Anonymous — Wed, 05 Jan 2022 09:43:55 GMT

Hello,

I'm afraid we cannot give 100% assurances of this kind situation(uncheck log4j box).

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

Best regards

Sabrin