Still awaiting on a reply from Talend.
We run a number of remote engines with a CI/CD pipeline pushing artifacts to the TMC.
Looking at our version of Studio (and V8.0.1) these products are using log4j < 2.15 so are open to the vulnerability. The issue as I see are a number of issues that need to be addressed:
- I have production code (my artifacts) that have been published with the "offending" libraries. These are now effectively redundant as all versions include this.
- My remote engines are potentially open to this attack
- Any existing development compiled from Studio will included this, even if I was able to mitigate this the CI/CD pipeline would recompile before publishing with the libraries that are included in the P2 image.
The response from Talend in asking how we might mitigate this risk was:
"Our team has been made aware of this CVE and the risks associated with it. Right now, our team is working to identify and mitigate all portions of Talend that fall under the scope of this issue. At this time, our team is still working on this issue, and verifying both a short-term and long-term solution that can mitigate the risk, and customers can use.
We will be able to provide your team with an update in the coming days on the status of this bug/risk, and the next steps.
Regarding your questions, the change mentioned is not advised by R&D as they are working on finding a solution as mentioned above"
Wish this was more helpful - but our security people are seeing attacks using this vector - and although we have put actions in place on our WAF etc, this is still a cause for concern.
/TALEND BUMP!
