Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Showing results for 
Search instead for 
Did you mean: 
YPMAL
Contributor III
Contributor III

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

 Log4j 2.15.0 or apply the recommended mitigations immediately ?

79 Replies
Fernandez
Creator II
Creator II

Hi,

 

If I understand correctly, we have to add the option "-Dlog4j2.formatMsgNoLookups=true" in the .bat deployed on our execution servers?

 

0695b00000LyjCGAAZ.png

aksharma
Contributor II
Contributor II

 

Hi

 

I am not seeing anywhere mention about the denial of service issue of log4j 2.16.0 in talend forums.Will there be a patch soon for this issue too (log4j2.17.0 jar).

 

Any insight on this will be helpfull .

 

Thanks

Ashish

 

 

 

 

Anonymous
Not applicable

Hello,

So far, we cannot give assurances of this situation.

We’re working on updating the TOS with the Log4j fix and will keep you update to this issue.

Meanwhile the mitigation steps that we have described in the Talend Help(incident-response) apply to TOS as well.

Publication Date: December 27, 2021

https://www.talend.com/security/incident-response/

Best regards

Sabrina

Anonymous
Not applicable

Hello,

So far, we cannot give assurances of this situation.

We’re working on updating the TOS with the Log4j fix and will keep you update to this issue.

Meanwhile the mitigation steps that we have described in the Talend Help(incident-response) apply to TOS as well.

Publication Date: December 27, 2021

https://www.talend.com/security/incident-response/

Best regards

Sabrina

Anonymous
Not applicable

Hello,

If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.

Best regards

Sabrina

Anonymous
Not applicable

Hello All,

The mitigation steps are now located on help.talend.com: https://document-link.us.cloud.talend.com/talend_log4j2_cve_statement?lang=en&version=latest&env=prd 

Which provides all the workarounds for studio.

The mitigation steps that we have described in the Talend Help Center apply to TOS as well.

Best regards

Sabrina

MGreenslade1621434850
Contributor III
Contributor III

Just checking there is no official patch for Talend Open Studio 7.3 that addresses this issue yet - just this:

For running jobs, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job.

 

Is that still correct?

seaferring
Contributor
Contributor

Talend's response is mitigation, not remediation.

 

For already built jobs you can replace the vulnerable log4j jars with the 2.17.1 jars and change the jar references in the batch/shell/powershell scripts.

 

For companies who require removal of all vulnerable log4j jars, I have not found a way to build or run jobs from within the studio environment.

 

If anyone else has found a way around this, I would love to know what you did.

 

It goes without saying that Talend's response to this vulnerability is not even close to acceptable. It really should not be very difficult to provide patches for studio.

welshsteve
Creator
Creator

I reported to Talend Support that our GitHub repository was still complaining about log4j vulnerabilities, despite me applying all the patches and mitigation they had supplied up to now.

 

I have been informed by Talend Support that log4j 2.17.1 is going to be included in the February patch due out around 17th February.

 

I presume from this that this will be PERMANENT remediation of the issue?

 

I'm not quite sure why it's taken so long, but let's hope this is the case because I do not know much about Java (I'm a SQL developer), so am relying on Talend providing permanent remediation of this issue. If it cannot be guaranteed, then our security team will most likely recommend removal of the product from our systems until such remediation is in place.

Anonymous
Not applicable

Hello,

Official statement and remediation efforts for Log4j2 security issue (CVE-2021-44228)

CVE-2021-45105 and CVE-2021-44832 medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

Best regards

Sabrina