Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.
As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.
Can anyone tell me what measure can be taken to update log4j to
Log4j 2.15.0 or apply the recommended mitigations immediately ?
Hi,
we use artifakt-repository nexus for Talend-Jobs. To mitigate the risk, we add the option (-Dlog4j2.formatMsgNoLookups=true) in the
%talend%/tac/Artifact-Repository-Nexus-3.x.x-01-win64\nexus-3.x.x-01\bin - nexus.vmoptions file.
After restart in nexus (Website) --> Systemstatus --> System Information --> (scroll down to system-properties) this Parameter appears.
Hello All,
Here comes new update in this response:
Publication Date: 12/16/2021
https://www.talend.com/security/incident-response/
If you have any further questions about this issue, please feel free to contact our support team.
Best regards
Sabrina
https://www.talend.com/security/incident-response/Talend is working to identify all modules in Talend affected and is working on a permanent solution. We should be able to provide your team with an official in-depth update in the coming days on the status of this issue.
One important note, Talend Cloud has been mitigated, along with all apps inside of itself (TMC, TDS/TDP, TDI, etc) and thus not affected by this CVE.
For a detailed list of affected products and the suggested mitigation steps, please visit https://www.talend.com/security/incident-response/
I'm using Talend Open Studio Data Integration.
Log4j is inactive in (in File > Edit Project Properties > Log4j).
But indeed the log4j librairies (log4j-api-2.12.1.jar / log4j-core-2.12.1.jar / log4j-slf4j-impl-2.12.1.jar) are embedded in the job build.
I just have to delete them from the servers where jobs are deployed ?
There will have no impact to jobs working ?
Even if Talend would say that there is no impact, I would still test it to be sure.
So I have a bunch of standalone Studio jobs. This is what I did to update them.
(1) Added the latest apache log4j release files to the /lib directory and deleted the older versions.
(2) Edited the launch script ( .bat .sh whatever you are using )
And that's it - tested all jobs and updated.
Yes it is messy but I scripted this ...
Hi Jean-François,
Did you get the answer to your question ?
I'm using also Talend Open Studio version 7.3.1 and Log4j is disabled in project settings.
But indeed the log4j librairies are embedded in the job build, I don't know why.
If Log4j is disabled in project settings, do we have only to delete log4j librairies in the job build ?
Thanks in advance
Hi,
No I didn't. But we are going to do what you explain in your post using a daily script to remove the librairies from all our jobs.
Regards
Hi Si,
Do you have Log4j active in (in File > Edit Project Properties > Log4j) ?
If not, is it really useful to update librairies and scripts ?
Regards,
Hi Si,
It doesn't work for me.
In the .bat I'm calling today the librairies below:
But I found only the new library below: