Re: How do I upgrade or replace the version of Log... - Page 2 - Qlik Community

asheppardwork · ‎2021-05-07

My IT security needs me to remove the current log4j jar that came with Talend Open Studio Big data 7.1 and upgrade to a newer version. The current version is log4j-1.2.17.jar and they want me to use log4j-2.8.2+ to address the CVE-2019-17571 vulnerability documented by Apache. However after doing a lot of searching here it looks like log4j is in integral part of TOS https://community.talend.com/s/article/Log-j-tips-and-tricks-I8730 so how do I get to using the new(er) version of the jar and all the associated applications as there are some 137 entries in the file structure that use this jar? Do I have to upgrade TOS? If so, how do I find out what version of the jar is being used? Any assistance would be very helpful.

norren · ‎2022-04-08

Problem with this approach is, that there will still be affected log4j jars in talend.

Like in:

\configuration\.m2\repository\org\apache\logging

\configuration\org.eclipse.osgi\460\0\.cp\lib\

\plugins\org.talend.core_7.3.1.20200217_1338.jar (lib/log4j-core-2.12.1.jar)

norren · ‎2022-04-08

Hey @Timothy Taylor,

any updates in regards to Talend Open Studio for Data Integration? I still don't see any new release while it seems there was some work done on the respective git repositories.

Kind regards

Norman

smathew2949 · ‎2022-04-08

Yes you will have to repeat this process for all the jars which you need to upgrade in order to fix the vulnerability

norren · ‎2022-04-11

For the mentioned directory \configuration\.m2\repository\org\apache\logging this was actually quite easy - just delete the old log4j JAR as this is just the local maven repository.

But how about these:

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\460\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\698\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\plugins\org.talend.core_7.3.1.20200217_1338.jar (lib/log4j-core-2.12.1.jar)

They are neither configurable via the modules view in the Open Studio, nor can you just replace the old log4j JARs with updated once, as application won't start anymore after this change.

Eddy3 · ‎2022-11-16

Hey Norren,

Are you able to find a solution to replace old log4j JARs within below folders? I am facing the same issue.

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\460\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\698\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\plugins\org.talend.core_7.3.1.20200217_1338.jar (lib/log4j-core-2.12.1.jar)

norren · ‎2022-11-16

Nope. Seems like TOS is dead, as there was also no new release as far as I know...

SimoTheBlue · ‎2022-12-19

Hi there,

I'm not the only one having this problem.

I downloaded the latest version of talend, but I don't know why there are still poor old log4j versions:

It's disappointing

Cordially

Simo™

How do I upgrade or replace the version of Log4j in Talend Open Studio for Big Data 7.1 to address the CVE-2019-17571 vulnerability?

Talend Big Data

v7.x