Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
YPMAL
Contributor III
Contributor III
‎2021-12-11 05:50 AM

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

 Log4j 2.15.0 or apply the recommended mitigations immediately ?

4,090 Views
79 Replies
Fernandez
Creator II
Creator II
‎2021-12-24 07:50 AM

In response to reinierD

Hi,

 

If I understand correctly, we have to add the option "-Dlog4j2.formatMsgNoLookups=true" in the .bat deployed on our execution servers?

 

0695b00000LyjCGAAZ.png

405 Views
0 Likes
aksharma
Contributor II
Contributor II
‎2021-12-27 02:17 PM

In response to Anonymous

 

Hi

 

I am not seeing anywhere mention about the denial of service issue of log4j 2.16.0 in talend forums.Will there be a patch soon for this issue too (log4j2.17.0 jar).

 

Any insight on this will be helpfull .

 

Thanks

Ashish

 

 

 

 

405 Views
0 Likes
Anonymous
Not applicable
‎2021-12-27 10:42 PM

In response to Fernandez

Hello,

So far, we cannot give assurances of this situation.

We’re working on updating the TOS with the Log4j fix and will keep you update to this issue.

Meanwhile the mitigation steps that we have described in the Talend Help(incident-response) apply to TOS as well.

Publication Date: December 27, 2021

https://www.talend.com/security/incident-response/

Best regards

Sabrina

405 Views
0 Likes
Anonymous
Not applicable
‎2021-12-27 10:42 PM

In response to Fernandez

Hello,

So far, we cannot give assurances of this situation.

We’re working on updating the TOS with the Log4j fix and will keep you update to this issue.

Meanwhile the mitigation steps that we have described in the Talend Help(incident-response) apply to TOS as well.

Publication Date: December 27, 2021

https://www.talend.com/security/incident-response/

Best regards

Sabrina

405 Views
0 Likes
Anonymous
Not applicable
‎2021-12-27 10:44 PM

In response to aksharma

Hello,

If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.

Best regards

Sabrina

405 Views
0 Likes
Anonymous
Not applicable
‎2021-12-31 01:46 AM

Hello All,

The mitigation steps are now located on help.talend.com: https://document-link.us.cloud.talend.com/talend_log4j2_cve_statement?lang=en&version=latest&env=prd 

Which provides all the workarounds for studio.

The mitigation steps that we have described in the Talend Help Center apply to TOS as well.

Best regards

Sabrina

405 Views
0 Likes
MGreenslade1621434850
Contributor III
Contributor III
‎2022-01-31 08:38 AM

Just checking there is no official patch for Talend Open Studio 7.3 that addresses this issue yet - just this:

For running jobs, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job.

 

Is that still correct?

405 Views
0 Likes
seaferring
Contributor
Contributor
‎2022-02-07 09:55 AM

Talend's response is mitigation, not remediation.

 

For already built jobs you can replace the vulnerable log4j jars with the 2.17.1 jars and change the jar references in the batch/shell/powershell scripts.

 

For companies who require removal of all vulnerable log4j jars, I have not found a way to build or run jobs from within the studio environment.

 

If anyone else has found a way around this, I would love to know what you did.

 

It goes without saying that Talend's response to this vulnerability is not even close to acceptable. It really should not be very difficult to provide patches for studio.

405 Views
0 Likes
welshsteve
Creator
Creator
‎2022-02-07 10:23 AM

I reported to Talend Support that our GitHub repository was still complaining about log4j vulnerabilities, despite me applying all the patches and mitigation they had supplied up to now.

 

I have been informed by Talend Support that log4j 2.17.1 is going to be included in the February patch due out around 17th February.

 

I presume from this that this will be PERMANENT remediation of the issue?

 

I'm not quite sure why it's taken so long, but let's hope this is the case because I do not know much about Java (I'm a SQL developer), so am relying on Talend providing permanent remediation of this issue. If it cannot be guaranteed, then our security team will most likely recommend removal of the product from our systems until such remediation is in place.

405 Views
0 Likes
Anonymous
Not applicable
‎2022-02-14 10:42 PM

In response to welshsteve

Hello,

Official statement and remediation efforts for Log4j2 security issue (CVE-2021-44228)

CVE-2021-45105 and CVE-2021-44832 medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

Best regards

Sabrina

 

405 Views
0 Likes