Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
See what Drew Clarke has to say about the Qlik Talend Cloud launch! READ THE BLOG
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
asheppardwork
Contributor III
Contributor III
‎2022-10-04 10:52 AM

tDBConnection and tDBInput with Oracle 19c and ojdbc 6,7,8,12,14,18 fail with jackson databind 2.12,2.13,2.14

We have the community edition of Talend Open Studio for Big Data 8.0.1 which we have been using since it came out and we have used Talend for years. Recently there was a CVE (CVE-2020-36518) vulnerability reported for the jackson databind jars all versions except 2.13.x and 2.14.x. Whenver we apply any jackson databind jar other than version 2.11.4 and then try to use either a tDBConnection or tDBInput on a Oracle 19c server with settings for either JDBC or Oracle we get the error: 

Caused by: java.lang.NoClassDefFoundError: com/fasterxml/jackson/core/util/JacksonFeature

at com.fasterxml.jackson.databind.ObjectMapper.<init>(ObjectMapper.java:673)

at com.fasterxml.jackson.databind.ObjectMapper.<init>(ObjectMapper.java:585)

at org.apache.avro.Schema.<clinit>(Schema.java:115)

at org.apache.avro.SchemaBuilder.<clinit>(SchemaBuilder.java:2585)

at

We have tried multiple ojdbc jar versions 7,8,12,14,18 and we have tried multiple jackson databind versions 2.11.4 thru the last one 2.14.0-rc1 and nothing helps. With the jackson databind 2.11.4 we can connect to our database with no issues with ojdbc 6,7,11,12,14,18. It is only when we change the jackson databind jar that we have a issue. Since this jar is not referenced in the component modules for any tDB object, I can only assume this is something with talend's core code. We need to be able to update the jackson databind jar to a version without vulnerabilities or find a way to use the 2.13.x versions. We have hundreds of jobs to fix so it would be best if it was a maven repo fix.

This is happening on Windows Server 2016; on Windows 10 Enterprise Laptops; and on RHEL 8.0 server.

Please advise.

Labels (3)
Labels
125 Views
0 Likes
2 Replies
Anonymous
Not applicable
‎2022-10-04 04:51 PM

How are you changing the Jars? Are you using the modules view for this? If not, you should try changing the Jars there....but make sure you take a note of the settings you are changing first.

 

If you are trying this by changing the Jars via the modules view, this could be that you have not changed all of the dependencies that may need to be changed. In a lot of cases this won't be required, but it will in some.

 

Unfortunately we do not support the Open Studio products so there are no patches for these. For a tested update which fixes this issue in TOS you will have to wait for the next release.

125 Views
0 Likes
Anonymous
Not applicable
‎2022-10-09 05:02 AM

Could you share the full exception?

I don't think Oracle uses AVRO at all but your stacktrace does in clude that.

 

Likely you have an Oracle to Avro flow and since the function generated by talend is called tOracleInput_1 it makes you believe Oracle is at fault, but any component in that flow could trigger the exception and all will point towards: tOracleInput_1 had an exception.

125 Views
0 Likes