Re: log 4j bug CVE-2021-44228- Urgently need to u... - Page 6 - Qlik Community

YPMAL · ‎2021-12-11

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

Log4j 2.15.0 or apply the recommended mitigations immediately ?

ars · ‎2021-12-16

Hi all,

Considering the above mentioned page, we need to understand the reference *Remediation for Talend Open Source is not in scope

Does that mean that Open Studio don't need any mitigated action?

Also, in our case (Talent Open Studio 7.1) we tried the below action:

Locate string :

o %msg%n

- Replace this string by :

o %msg{nolookups}%n

but under tab Log4j there is no such section or string (at all) declared.

Can you please advise?

Thank you in advance.

BR,

ars

MPT · ‎2021-12-16

It seems to be by default present only in log4j2 :

note that our log4j2 configuration is a bit cuztomized, but that string %msg%n should be present in your default log4j2 config too.

Anonymous · ‎2021-12-16

Hello,

I tried to open the screenshots on this page and it won't open as large images. Feel free to let us know which one is not very clear to see the setting and configuration.

Best regards

Sabrina

MPT · ‎2021-12-16

As the instructions are mostly also in the text, the screencaptures are additional visual reference and as such not that critical. As a suggestion, if those images can't be clicked to be bigger, if you could double the size of each screenshot, I think those would then be more informative.

Anonymous · ‎2021-12-16

Hello,

Thanks for your suggestion and it does make sense.

We will check it with our WEB and Support team to see if it is possible to double the size of each screenshot.

Best regards

Sabrina

AMBxxx · ‎2021-12-16

That's useful - thanks.

I've checked my projects and Log4j is disabled in all of them. Presumably that's the default as I've not changed it. I can sleep easier tonight!

Jean-François · ‎2021-12-16

Hello,

Are we sure that the vulnerability is only effective when log4j is active ? Because even if not active, the log4j librairies are embedded in the job build.

Ilt's not very clear in my mind.

Thanks.

StevanJovetic10 · ‎2021-12-16

Hi, if i have a deployed job created by Talend Open Studio, how can i check if log4j is disabled for this particular job?

StevanJovetic10 · ‎2021-12-16

Hi, if i have a deployed job created by Talend Open Studio, how can i check if log4j is disabled for this particular job?

welshsteve · ‎2021-12-16

Do you have log4j1 (deprecated) selected instead? This would explain it

Change it to log4j2 and then change the relevant text as per the instructions:

Thanks

Steve

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Sandbox

SDI

Talend Administration Center

Talend Data Integration

Talend Installer

Talend JobServer

Talend Log Server

Talend Remote Engine

Talend Studio

v6.x