Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik and ServiceNow Partner to Bring Trusted Enterprise Context into AI-Powered Workflows. Learn More!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Jlucas
Contributor
Contributor
‎2022-12-30 12:10 PM

Talend Open Studio: Release Scehdule

Hi Community,

I am working with Talend Open Studio for Windows. I am trying to address

CVE-2022-42889.

I was wondering is there anyway to know when the next release of Open Studio will be released where this vulnerability is address by having an upgraded jar?

I tried upgrading the Apache Commons Text jar myself, but my jobs will no longer build and product and error for a missing class path. Is there a way to resolve this if there are no recent open studio releases coming?

Thank you

Labels (3)
Labels
615 Views
0 Likes
3 Replies
Anonymous
Not applicable
‎2023-01-09 03:01 AM

Hello,

Talend is aware of and monitoring CVE-2022-42889 (Apache Commons Text aka Text4Shell) security vulnerability.

Mitigations for the vulnerability were implemented in Talend Cloud on October 20, 2022 with no observed impact as a result of the vulnerability prior to implementing the mitigations.

Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing the code fix to address the impacted Products.

Please see https://www.talend.com/security/incident-response/

I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products.

We will keep you posted as long as there is any information about the next release of Open Studio.

Really sorry for the inconvenience.

Best regards

Sabrina

 

 

615 Views
0 Likes
Jlucas
Contributor
Contributor
‎2023-01-10 12:04 PM
Author

Thanks for the response xdshi!

 

Ah I understand that is unfortunate. Do you have any documentation on how to properly update the apache commons jar in open studio?

615 Views
0 Likes
Anonymous
Not applicable
‎2023-01-10 10:13 PM

In response to Jlucas

Hello,

So far, there is no documentation for updating the Apache commons jar.

Please find the latest information on CVE-2022-42889

https://www.talend.com/security/incident-response/#CVE-2022-42889

The Apache Security team have released a statement to clarify the impact of CVE-2022-42889: https://blogs.apache.org/security/entry/cve-2022-42889

"This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation."

Best regards

Sabrina

 

615 Views
0 Likes