Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
YPMAL
Contributor III
Contributor III
‎2021-12-11 05:50 AM

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

 Log4j 2.15.0 or apply the recommended mitigations immediately ?

1,927 Views
79 Replies
welshsteve
Creator
Creator
‎2021-12-13 06:50 AM

In response to DSM_Daimler

Thanks @Diaz Smiedts​ I will give that a go. I presume the Windows service should be restarted once this change has been made?

276 Views
0 Likes
DOliva
Contributor
Contributor
‎2021-12-13 07:03 AM

In response to Anonymous

The workaround is also applicable for the Talend ESB 7.2.1 (TOS_ESB-20190620_1446-V7.2.1) ?

In the setenv we added

SET EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

Thanks

276 Views
0 Likes
DSM_Daimler
Contributor
Contributor
‎2021-12-13 07:05 AM

In response to welshsteve

indeed, service restart is required for the changes to go into effect.

276 Views
0 Likes
aksharma
Contributor II
Contributor II
‎2021-12-13 07:31 AM

The configuration which you mention seems to be not recommnded by the many securities companies.Do you have any update when will be getting the permanent fix this week next week or next month so that we can plan properly

276 Views
0 Likes
MGreenslade1621434850
Contributor III
Contributor III
‎2021-12-13 08:43 AM

In response to Anonymous

Should we see some difference to the build we output from TOS if we add this to the ini? There isn't any difference in the Project Settings log4j pane after restarting. And log4j-1.2.17.jar is still in the libs folder of the output.

 

How can we be sure this has done something. We are using TOS 7.4.1 on MacOS Big Sur.

276 Views
0 Likes
Isabel_R
Contributor
Contributor
‎2021-12-13 09:30 AM

This solution is also applicable when using 1.X versions of log4j? If not there is other actions to do?

 

Thanks in advance.

276 Views
0 Likes
DSM_Daimler
Contributor
Contributor
‎2021-12-13 09:40 AM

In response to MGreenslade1621434850

In my opinion the ini file change impacts your local executions from within Studio only. If you don't have a jobserver or remote-engine setup and use TOS, I think you need to add the same JVM param in the Run > Advanced settings. Enable the "Use specific JVM arguments" and add the -Dxxx setting into a new entry

276 Views
0 Likes
MGreenslade1621434850
Contributor III
Contributor III
‎2021-12-13 10:00 AM

In response to MGreenslade1621434850

Yes thats our scenario - no remote engine - if someone from Talend could confirm this fix resolves the issue please thats really helpful.

 

Also a link to the issue on the Talend Case Management Tool would be very useful for tracking this.

276 Views
0 Likes
Anonymous
Not applicable
‎2021-12-13 10:15 AM

In response to reinierD

Looking for the same answer - runtime and remote engine.

276 Views
0 Likes
KBjorndahl
Contributor
Contributor
‎2021-12-13 12:45 PM

In response to Anonymous

So, is there no interim solution for the runtime server? You only describe Studio, Tac, and Jobserver

276 Views
0 Likes