https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380277#M3583 <P>Hello,</P><P>So far, there is no documentation for updating the Apache commons jar.</P><P>Please find the latest information on CVE-2022-42889</P><P><A href="https://www.talend.com/security/incident-response/#CVE-2022-42889" alt="https://www.talend.com/security/incident-response/#CVE-2022-42889" target="_blank">https://www.talend.com/security/incident-response/#CVE-2022-42889</A></P><P>The Apache Security team have released a statement to clarify the impact of CVE-2022-42889: <A href="https://blogs.apache.org/security/entry/cve-2022-42889" alt="https://blogs.apache.org/security/entry/cve-2022-42889" target="_blank">https://blogs.apache.org/security/entry/cve-2022-42889</A></P><P><I>"This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation."</I></P><P>Best regards</P><P>Sabrina</P><P>&nbsp;</P> Wed, 11 Jan 2023 03:13:58 GMT Anonymous 2023-01-11T03:13:58Z https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380274#M3580 <P>Hi Community,</P><P></P><P></P><P>I am working with Talend Open Studio for Windows. I am trying to address </P><P>CVE-2022-42889.</P><P></P><P></P><P>I was wondering is there anyway to know when the next release of Open Studio will be released where this vulnerability is address by having an upgraded jar?</P><P></P><P></P><P>I tried upgrading the Apache Commons Text jar myself, but my jobs will no longer build and product and error for a missing class path. Is there a way to resolve this if there are no recent open studio releases coming?</P><P></P><P></P><P>Thank you</P> Fri, 15 Nov 2024 22:13:58 GMT https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380274#M3580 Jlucas 2024-11-15T22:13:58Z https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380275#M3581 <P>Hello,</P><P>Talend is aware of and monitoring CVE-2022-42889 (Apache Commons Text aka Text4Shell) security vulnerability.</P><P>Mitigations for the vulnerability were implemented in Talend Cloud on October 20, 2022 with no observed impact as a result of the vulnerability prior to implementing the mitigations.</P><P>Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing the code fix to address the impacted Products.</P><P>Please see <A href="https://www.talend.com/security/incident-response/" alt="https://www.talend.com/security/incident-response/" target="_blank">https://www.talend.com/security/incident-response/</A></P><P>I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products. </P><P>We will keep you posted as long as there is any information about the next release of Open Studio.</P><P>Really sorry for the inconvenience.</P><P>Best regards</P><P>Sabrina</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 09 Jan 2023 08:01:06 GMT https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380275#M3581 Anonymous 2023-01-09T08:01:06Z https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380276#M3582 <P>Thanks for the response xdshi!</P><P>&nbsp;</P><P>Ah I understand that is unfortunate. Do you have any documentation on how to properly update the apache commons jar in open studio?</P> Tue, 10 Jan 2023 17:04:24 GMT https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380276#M3582 Jlucas 2023-01-10T17:04:24Z https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380277#M3583 <P>Hello,</P><P>So far, there is no documentation for updating the Apache commons jar.</P><P>Please find the latest information on CVE-2022-42889</P><P><A href="https://www.talend.com/security/incident-response/#CVE-2022-42889" alt="https://www.talend.com/security/incident-response/#CVE-2022-42889" target="_blank">https://www.talend.com/security/incident-response/#CVE-2022-42889</A></P><P>The Apache Security team have released a statement to clarify the impact of CVE-2022-42889: <A href="https://blogs.apache.org/security/entry/cve-2022-42889" alt="https://blogs.apache.org/security/entry/cve-2022-42889" target="_blank">https://blogs.apache.org/security/entry/cve-2022-42889</A></P><P><I>"This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation."</I></P><P>Best regards</P><P>Sabrina</P><P>&nbsp;</P> Wed, 11 Jan 2023 03:13:58 GMT https://community.qlik.com/t5/Installing-and-Upgrading/Talend-Open-Studio-Release-Scehdule/m-p/2380277#M3583 Anonymous 2023-01-11T03:13:58Z