topic log4j vulnerability issue in Installing and Upgrading

log4j vulnerability issue

krivamsi30 — Fri, 15 Nov 2024 22:56:03 GMT

Hi Team

We are using TOS 7.3.1 community edition

We are facing an issue with vulnerability with below jar files

Is there any patch on Talend so we can upgrade to remove these vulnerabilities

Need urgent help on fixing this vulnerability issue , with log4j 2.12.1 jar version

We need an upgraded log4j version

What is the latest production version of Talend

Regards

Vamsi Krishna

Re: log4j vulnerability issue

Anonymous — Wed, 11 May 2022 07:01:53 GMT

Hello,

I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products.

The mitigation steps are now located on Talend Help Center

https://help.talend.com/r/EeTpT8r7xmeq1HtTGQBqGA/zX7iWLX6GgxOAjJPlpXNYA

Which provides all the workarounds for studio.

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

Best regards

Sabrina

Re: log4j vulnerability issue

Todd66 — Thu, 21 Jul 2022 07:22:44 GMT

What's the issue? Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software. My Macys Insite Login

Re: log4j vulnerability issue

krivamsi30 — Thu, 21 Jul 2022 19:05:04 GMT

@Xiaodi Shi This should be considered for fixing in open studio too

Re: log4j vulnerability issue

Anonymous — Fri, 22 Jul 2022 02:49:48 GMT

Hello,

The latest version of Talend is v8 at the moment. This was released just prior to the Log4j bug, so the Open Studio version does not have the fixes built-in. The subscription v8 products have been patched. You can try upgrading the Log4j libraries that your version of Talend uses. Have you ever seen the “modules” section in the Studio? Here you can add and replace Jars which are used. You could try to replace the Jars affected with fixed Jars. If you try this, it would be best to test it thoroughly in a Studio that is a “throwaway” instance and not one you are currently using for development.

Best regards

Sabrina

Re: log4j vulnerability issue

Anonymous — Fri, 22 Jul 2022 02:55:22 GMT

Hello,

Thanks for your suggestion. As Talend 8 version was released prior to the vulnerability being revealed, there would be built-in fixed in the next released for talend open solution.

Best regards

Sabrina

Re: log4j vulnerability issue

krivamsi30 — Sat, 23 Jul 2022 13:09:03 GMT

Hi Sabrina

I have tried this solution with 8.0.1 open source, it doesn't work

Every time Talend is opened, it creates these vulnerable jar files

Regards

Vamsi Krishna

Re: log4j vulnerability issue

Anonymous — Mon, 25 Jul 2022 03:36:28 GMT

Hello,

Could you please have a look at this topic about Updating a jar file for official Talend components

https://community.talend.com/s/question/0D55b00006K2hIBCAZ/updating-a-jar-file-for-official-talend-components

We made a testing on V 7.3.1 and it works.

Feel free to post your issue here.

Best regards

Sabrina

Re: log4j vulnerability issue

Eddy3 — Wed, 16 Nov 2022 07:46:43 GMT

Hello xdshi,

I have tried updating jar file directly from modules but whenever I open Talend, those old vulnerable jars are created again in backend folders. How can we resolve this?

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\460\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\698\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\plugins\org.talend.core_7.3.1.20200217_1338.jar (lib/log4j-core-2.12.1.jar)

Re: log4j vulnerability issue

Anonymous — Wed, 16 Nov 2022 10:18:39 GMT

Hello,

Could you please check if the newest vulnerable jars files are showing in the modules view as "installed"?

Best regards

Sabrina

Re: log4j vulnerability issue

Eddy3 — Wed, 16 Nov 2022 18:21:16 GMT

Hello xdshi,

Yes all new jars are installed. Please check below screenshot

But I am still seeing some old log4j installed as well.

And I am also seeing vulnerable jars installed in below folders

Re: log4j vulnerability issue

jlolling — Tue, 06 Dec 2022 23:10:32 GMT

First of all, keep calm. The affected issue cannot be used inside a Talend job because the Talend job does not allow (because of it design) to send user defined log messages from anywhere outside the job.

You are NOT in danger!

But unfortunately there are some guys in the companies scanning the projects and blaming you using the out-dated "dangerous" library.

The affected functionality can also simply switched of by a JVM parameter.

Take care you set this: LOG4J_FORMAT_MSG_NO_LOOKUPS=true. as environment variable (usually added to the job with -D)