Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Will the mitigation provided for the Talend Studio for Log4j "-Dlog4j2.formatMsgNoLookups=true" - will it work for Talend Open Studio 7.3, or any other way that help to mitigate the issue in TOS.
Hello,
Regarding of this response Publication Date: December 22, 2021 https://www.talend.com/security/incident-response/, remediation for Talend Open Source is not in scope. We are trying to work on remediation for talend open studio and will come back to you as soon as possible.
Best regards
Sabrina
If i download the V8.0.1 talend open studio and migrate my jobs from 7.3.1 to the latest one will it fix the issue?
Hello,
I’m afraid Talend 8 version was released prior to the vulnerability being revealed.
Best regards
Sabrina
Thanks Sabrina. My IT Security Team asked me to look into the R2021-12 (cumulative patch). Is this patch applicable for Talend Open Studio For Data Integration (7.3.1.20200219_1130)?
We are using the open studio and we have our production go live in 15 days
Could you please confirm what are the options we have at this time to fix the log4j issues for this?
Thanks in advance for your quick response
Hello,
We do not supply patches for the Open Studio releases. Patches are specific to Talend Service, the version of the Talend Service, the severity of the risk, and other mitigating controls Talend maintains.
You can find mitigation instructions for existing products here….
Publication Date: December 23, 2021: https://www.talend.com/security/incident-response/
As remediation for Talend Open Source is not in scope, we have already escalated it to our IT security team to see if there is any graceful workaround and solution for talend open studio and then come back to you as soon as possible.
Best regards
Sabrina
Hi,
Any news for Talend Open Studio 7.3 or 8.0 ?
When will it comes into your scope ?
In the meantime, is there a way for us to prevent TOS to include vulnerable log4j jar files into our builds (TOS do so even when log4j is not enabled for a project !) ?
Thanks in advance for your help
Hello,
We’re working on updating the TOS with the Log4j fix and will keep you update to your issue.
Meanwhile the mitigation steps that we have described in the Talend Help (incident response) apply to TOS as well.
https://www.talend.com/security/incident-response/
Best regards
Sabrina
Hello,
The mitigation steps are now located on help.talend.com: https://document-link.us.cloud.talend.com/talend_log4j2_cve_statement?lang=en&version=latest&env=prd
Which provides all the workarounds for studio.
Best regards
Sabrina
For Talend Open Studio 7.3 or 8.0, are the mitigation steps proposed essential when our projects properties don't use log4j (Check Box not checked). I know we still have all the jar files generated in anyways.
Thanks in advance for the help.