Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.
As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.
Can anyone tell me what measure can be taken to update log4j to
Log4j 2.15.0 or apply the recommended mitigations immediately ?
Thanks @Diaz Smiedts I will give that a go. I presume the Windows service should be restarted once this change has been made?
The workaround is also applicable for the Talend ESB 7.2.1 (TOS_ESB-20190620_1446-V7.2.1) ?
In the setenv we added
SET EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true
Thanks
indeed, service restart is required for the changes to go into effect.
The configuration which you mention seems to be not recommnded by the many securities companies.Do you have any update when will be getting the permanent fix this week next week or next month so that we can plan properly
Should we see some difference to the build we output from TOS if we add this to the ini? There isn't any difference in the Project Settings log4j pane after restarting. And log4j-1.2.17.jar is still in the libs folder of the output.
How can we be sure this has done something. We are using TOS 7.4.1 on MacOS Big Sur.
This solution is also applicable when using 1.X versions of log4j? If not there is other actions to do?
Thanks in advance.
In my opinion the ini file change impacts your local executions from within Studio only. If you don't have a jobserver or remote-engine setup and use TOS, I think you need to add the same JVM param in the Run > Advanced settings. Enable the "Use specific JVM arguments" and add the -Dxxx setting into a new entry
Yes thats our scenario - no remote engine - if someone from Talend could confirm this fix resolves the issue please thats really helpful.
Also a link to the issue on the Talend Case Management Tool would be very useful for tracking this.
Looking for the same answer - runtime and remote engine.
So, is there no interim solution for the runtime server? You only describe Studio, Tac, and Jobserver