Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
YPMAL
Contributor III
Contributor III

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

 Log4j 2.15.0 or apply the recommended mitigations immediately ?

79 Replies
welshsteve
Creator
Creator

Thanks @Diaz Smiedts​ I will give that a go. I presume the Windows service should be restarted once this change has been made?

DOliva
Contributor
Contributor

The workaround is also applicable for the Talend ESB 7.2.1 (TOS_ESB-20190620_1446-V7.2.1) ?

In the setenv we added

SET EXTRA_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true

Thanks

DSM_Daimler
Contributor
Contributor

indeed, service restart is required for the changes to go into effect.

aksharma
Contributor II
Contributor II

The configuration which you mention seems to be not recommnded by the many securities companies.Do you have any update when will be getting the permanent fix this week next week or next month so that we can plan properly

MGreenslade1621434850
Contributor III
Contributor III

Should we see some difference to the build we output from TOS if we add this to the ini? There isn't any difference in the Project Settings log4j pane after restarting. And log4j-1.2.17.jar is still in the libs folder of the output.

 

How can we be sure this has done something. We are using TOS 7.4.1 on MacOS Big Sur.

Isabel_R
Contributor
Contributor

This solution is also applicable when using 1.X versions of log4j? If not there is other actions to do?

 

Thanks in advance.

DSM_Daimler
Contributor
Contributor

In my opinion the ini file change impacts your local executions from within Studio only. If you don't have a jobserver or remote-engine setup and use TOS, I think you need to add the same JVM param in the Run > Advanced settings. Enable the "Use specific JVM arguments" and add the -Dxxx setting into a new entry

MGreenslade1621434850
Contributor III
Contributor III

Yes thats our scenario - no remote engine - if someone from Talend could confirm this fix resolves the issue please thats really helpful.

 

Also a link to the issue on the Talend Case Management Tool would be very useful for tracking this.

Anonymous
Not applicable

Looking for the same answer - runtime and remote engine.

KBjorndahl
Contributor
Contributor

So, is there no interim solution for the runtime server? You only describe Studio, Tac, and Jobserver