@DSM_Daimler : You are right! Setenv.sh or .bat is irrelevant if wrapper used.

But in actual catalina...log you can see if the parameter was loaded at TAC startup 😉

Good hint @Reinier Battenberg​ ! I think other Talend-services may be are affected in the same way (Talend-Nexus, Talend-Logserver (logstash) ...)

Sad that Talend does not give more hints here...

Please note that there are some doubts raising on the reliability of the performed workaround : https://nvd.nist.gov/vuln/detail/CVE-2021-45046

Kindly advise.

/bump

https://nvd.nist.gov/vuln/detail/CVE-2021-45046 has stated:

Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability. 

I just received an email from Talend support saying to implement this fix; which contradicts the above?

I understood NIST publication so that implementing the fix for log4jshell would mitigate the remote execution vulnerability but it does not prevent the attacker from exploiting JDNI so that they could still launch a distributed denial-of-service attack.

So that means the suggestion only mitigates part of the issue? I guess it's less of an issue if you have DDOS prevention at your WAN/Firewall before something gets in - but it's still a hole that is unacceptable to my security team.

Thanks. The screenshots on that page won't open as large images, are they supposed to?