Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
DarinAfni
Contributor III
Contributor III
‎2023-09-11 02:10 PM

Security Vulnerabilities CVE-2021-45105, CVE-2021-45046 and CVE-2021-44228

I am trying to understand how I am supposed to remove/replace log4j drivers that are vulnerable to the above security vulnerabilities.

All of my deployed packages built from Talend utilize one of either log4j-1.2.17.jar or log4j-1.2.16.jar.

I recently upgraded to TOS version 8 back in June. I would've thought that the most recent download at that time wouldn't still be using log4j 1 nor would it be using vulnerable jars?

0695b00000ocyjWAAQ.png

I've tried to figure out what I"m supposed to do here. There are a couple of helpful community threads but neither of them seem to help me.

https://community.talend.com/s/question/0D55b000064fTQ5CAM/how-do-i-upgrade-or-replace-the-version-o...

https://community.talend.com/s/question/0D55b00006yu3sCCAQ/remove-default-log4j-version-and-add-a-ne...

When I look in my install directory - I'm still seeing these old log4j 1 versions of the jar:

0695b00000ocylwAAA.png

My InfoSec department is going to shut down all of my data integration jobs and take my host server offline if I can't mitigate these issues.

Can anyone tell me how I'm supposed to upgrade these .jar files so that Talend still functions properly? And also how to change each individual job so that the package saved on each machine doesn't include these vulnerable log4j 1 jar files?

Thank you,

Darin

Labels (2)
Labels
1 user say ditto
263 Views
0 Likes
3 Replies
Anonymous
Not applicable
‎2023-09-11 10:16 PM

Hello,

For your use case, you could install the module externally from maven repository.

1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j

2.select the appropriate jar which needs to be upgraded

3.select the module in TOS

0695b00000od3ZHAAY.png0695b00000od3ZMAAY.jpg4.Click Detect and install module

Let us know if you can see the latest jar exist when you build the job.

Hope this will help.

Best regards

Sabrina

247 Views
0 Likes
DarinAfni
Contributor III
Contributor III
‎2023-09-12 08:53 AM
Author

Thanks Sabrina.

 

You've left this response on other questions but I cannot find the replacement for log4j-1.2.17.jar or log4j-1.2.16.jar on that site. There are .jar downloads for the log4j 1 but nothing for log4j 2. There are for core or api or jcl (lo4j-core and log4j-jcl and log4j-api) but not the log4j jar. It's also not available from the nexus repository manager Nexus Repository Manager (talend.com).

 

If someone can tell me how I'm supposed to find a log4j 2 .jar file that will allow this to function that doesn't have the same security vulnerabilities then I'd be grateful. I just can't find it on that mvnrepository.com site.

 

Darin

247 Views
0 Likes
Anonymous
Not applicable
‎2023-09-13 12:16 AM

In response to DarinAfni

Hello,

You are able to download Apache Log4j™ 2 from logging services official website

https://logging.apache.org/log4j/2.x/download.html

Hope it helps.

Best regards

Sabrina

247 Views
0 Likes