Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.
As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.
Can anyone tell me what measure can be taken to update log4j to
Log4j 2.15.0 or apply the recommended mitigations immediately ?
Hi all,
Considering the above mentioned page, we need to understand the reference *Remediation for Talend Open Source is not in scope
Does that mean that Open Studio don't need any mitigated action?
Also, in our case (Talent Open Studio 7.1) we tried the below action:
Locate string :
o %msg%n
- Replace this string by :
o %msg{nolookups}%n
but under tab Log4j there is no such section or string (at all) declared.
Can you please advise?
Thank you in advance.
BR,
ars
It seems to be by default present only in log4j2 :
note that our log4j2 configuration is a bit cuztomized, but that string %msg%n should be present in your default log4j2 config too.
Hello,
I tried to open the screenshots on this page and it won't open as large images. Feel free to let us know which one is not very clear to see the setting and configuration.
Best regards
Sabrina
As the instructions are mostly also in the text, the screencaptures are additional visual reference and as such not that critical. As a suggestion, if those images can't be clicked to be bigger, if you could double the size of each screenshot, I think those would then be more informative.
Hello,
Thanks for your suggestion and it does make sense.
We will check it with our WEB and Support team to see if it is possible to double the size of each screenshot.
Best regards
Sabrina
That's useful - thanks.
I've checked my projects and Log4j is disabled in all of them. Presumably that's the default as I've not changed it. I can sleep easier tonight!
Hello,
Are we sure that the vulnerability is only effective when log4j is active ? Because even if not active, the log4j librairies are embedded in the job build.
Ilt's not very clear in my mind.
Thanks.
Hi, if i have a deployed job created by Talend Open Studio, how can i check if log4j is disabled for this particular job?
Hi, if i have a deployed job created by Talend Open Studio, how can i check if log4j is disabled for this particular job?
Do you have log4j1 (deprecated) selected instead? This would explain it
Change it to log4j2 and then change the relevant text as per the instructions:
Thanks
Steve