How do I upgrade or replace the version of Log4j i... - Qlik Community

asheppardwork · ‎2021-05-07

My IT security needs me to remove the current log4j jar that came with Talend Open Studio Big data 7.1 and upgrade to a newer version. The current version is log4j-1.2.17.jar and they want me to use log4j-2.8.2+ to address the CVE-2019-17571 vulnerability documented by Apache. However after doing a lot of searching here it looks like log4j is in integral part of TOS https://community.talend.com/s/article/Log-j-tips-and-tricks-I8730 so how do I get to using the new(er) version of the jar and all the associated applications as there are some 137 entries in the file structure that use this jar? Do I have to upgrade TOS? If so, how do I find out what version of the jar is being used? Any assistance would be very helpful.

dataWrangler1 · ‎2021-12-13

Maybe the following steps can help mitigate while a patch or steps in updating the library is made available.

https://community.talend.com/s/feed/0D75b000005WLwPCAW

smathew2949 · ‎2021-12-16

Install the module externally from maven repository like i upgraded them to 2.16 which is the latest version today .

Steps i followed

1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j

2.select the appropriate jar which needs to be upgraded

select the module in TOS
Click Detect and install module
Post this when i build the job i see the latest jar exist now

Hope this will help

SZollikofer · ‎2021-12-16

I'm not sure how this could help.

Basically I have the same problem.

I'm looking for a way to fix / mitigate the CVE-2019-17517 vulnerability in log4j-1.2.15 and log4j-1.2.16 directly (without a log4j-to-slf4j adapter).

smathew2949 · ‎2021-12-16

I had applied above mentioned method to take care of CVE-2021-44228 in log4j however for CVE-2019-17517 also you could upgrade the jar using the above mentioned method this could help you mitigate the issue

Anonymous · ‎2021-12-17

Talend is working to identify all modules in Talend affected and is working on a permanent solution. We should be able to provide your team with an official in-depth update in the coming days on the status of this issue.

One important note, Talend Cloud has been mitigated, along with all apps inside of itself (TMC, TDS/TDP, TDI, etc) and thus not affected by this CVE.

For a detailed list of affected products and the suggested mitigation steps, please visit https://www.talend.com/security/incident-response/.

Miguel_Neto · ‎2022-01-04

Dear smathew2949,

I followed all of steps described by you. However, at each time I run a job, talend always ask me to install a module as showed in image below.

This happens with you too? Can you help on this issue?

smathew2949 · ‎2022-01-07

I assume that the reason for this is because you’re machine where your talen studio is installed does not have an active internet connection for the jars to be downloaded from the maven repository can you please confirm if this is the case

smathew2949 · ‎2022-01-07

@Timothy Taylor could you review my post about the solution we have implemented in our team if it is good one to have in place

Miguel_Neto · ‎2022-01-07

Hello Smarhew,

No. My network connection is fine. My problem is Anti-Virus block download of log4j-core-2.13.2.jar file.

There is some solution to replace log4j-core-2.13.2.jar by another one version non-vunerable?

How do I upgrade or replace the version of Log4j in Talend Open Studio for Big Data 7.1 to address the CVE-2019-17571 vulnerability?

Talend Big Data

v7.x