hello - is there any update to this thread?

According to the message posted on the Talend Case Management Tool:

ALERT: CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.

Our Security team is aware of the recently reported CVE-2021-44228 and is working towards a permanent fix.

Talend Cloud Applications are configured to block exploits against this threat and thus will not be affected by this CVE.

For any On Prem Talend applications such as Remote Engines, Tac, and Studio. Customers may add the following flag, "-Dlog4j2.formatMsgNoLookups=true" to the Tac, Studio and Remote Engine.

If you need assistance on how to set this flag, please contact technical support.

Hello,

Here exists a related support case: 00245507 and Our team has been made aware of the vulnerability at this time, and is currently in the process of identifying all modules in Talend affected and working on a fix for the issue at hand.

 In the meantime, for your Studio, TAC, and Jobserver, there is an interim solution that may help block those exploits. The following flag, "-Dlog4j2.formatMsgNoLookups=true" can be added to those modules that should disable the libraries in Log4j that are in the scope of the risk.

For the Studio, it can be added to the ini file at the bottom of the file; once added, save and estart the studio, and the JVM flag will be applied.

For your TAC, it would need to be added to either the " setenv.sh (https://setenv.sh/) ( https://setenv.sh (https://setenv.sh/) /) " script in the "<TAC Folder>/apache-tomcat/bin folder", as an additional parameter in the JAVA_OPS section.

In the Jobserver, that flag can be added to the service, which should apply for all jobs. More information can be found here:

https://community.talend.com/s/article/Set-a-JVM-property-for-all-the-Jobs-executed-by-a-JobServer-o...

Please review these items, try these steps out, and let us know if it is OK with you.

Best regards

Sabrina