log 4j bug CVE-2021-44228- Urgently need to updat... - Page 7 - Qlik Community

YPMAL · ‎2021-12-11

Hi,

We are using Talend 6.2.1 20160704_1411 version of talend running on our local servers.

As precautionary measure we need to update log4j library to avoid recent exploit named as CVE-2021-44228.

Can anyone tell me what measure can be taken to update log4j to

Log4j 2.15.0 or apply the recommended mitigations immediately ?

paula11 · ‎2021-12-16

Hi,

we use artifakt-repository nexus for Talend-Jobs. To mitigate the risk, we add the option (-Dlog4j2.formatMsgNoLookups=true) in the

%talend%/tac/Artifact-Repository-Nexus-3.x.x-01-win64\nexus-3.x.x-01\bin - nexus.vmoptions file.

After restart in nexus (Website) --> Systemstatus --> System Information --> (scroll down to system-properties) this Parameter appears.

Anonymous · ‎2021-12-16

Hello All,

Here comes new update in this response:

Publication Date: 12/16/2021

https://www.talend.com/security/incident-response/

If you have any further questions about this issue, please feel free to contact our support team.

Best regards

Sabrina

Anonymous · ‎2021-12-17

https://www.talend.com/security/incident-response/Talend is working to identify all modules in Talend affected and is working on a permanent solution. We should be able to provide your team with an official in-depth update in the coming days on the status of this issue.

One important note, Talend Cloud has been mitigated, along with all apps inside of itself (TMC, TDS/TDP, TDI, etc) and thus not affected by this CVE.

For a detailed list of affected products and the suggested mitigation steps, please visit https://www.talend.com/security/incident-response/

Fernandez · ‎2021-12-20

I'm using Talend Open Studio Data Integration.

Log4j is inactive in (in File > Edit Project Properties > Log4j).

But indeed the log4j librairies (log4j-api-2.12.1.jar / log4j-core-2.12.1.jar / log4j-slf4j-impl-2.12.1.jar) are embedded in the job build.

I just have to delete them from the servers where jobs are deployed ?

There will have no impact to jobs working ?

MPT · ‎2021-12-20

Even if Talend would say that there is no impact, I would still test it to be sure.

Si4 · ‎2021-12-21

So I have a bunch of standalone Studio jobs. This is what I did to update them.

(1) Added the latest apache log4j release files to the /lib directory and deleted the older versions.

(2) Edited the launch script ( .bat .sh whatever you are using )

replace any log4j v2 calls to the latest 2.17.0 version
replace any log4j v1 calls to the API redirectory ( log4j-1.2-api-2.17.0.jar ) and add the core and api files from 2.17.0 - this lets the v1 calls redirect to the latest 2.x

And that's it - tested all jobs and updated.

Yes it is messy but I scripted this ...

Fernandez · ‎2021-12-21

Hi Jean-François,

Did you get the answer to your question ?

I'm using also Talend Open Studio version 7.3.1 and Log4j is disabled in project settings.

But indeed the log4j librairies are embedded in the job build, I don't know why.

If Log4j is disabled in project settings, do we have only to delete log4j librairies in the job build ?

Thanks in advance

Jean-François · ‎2021-12-21

Hi,

No I didn't. But we are going to do what you explain in your post using a daily script to remove the librairies from all our jobs.

Regards

Fernandez · ‎2021-12-21

Hi Si,

Do you have Log4j active in (in File > Edit Project Properties > Log4j) ?

If not, is it really useful to update librairies and scripts ?

Regards,

Fernandez · ‎2021-12-24

Hi Si,

It doesn't work for me.

In the .bat I'm calling today the librairies below:

log4j-1.2.17.jar
log4j-to-slf4j-2.12.1.jar
slf4j-log4j12-1.7.25.jar

But I found only the new library below:

log4j-to-slf4j-2.17.0.jar

log 4j bug CVE-2021-44228- Urgently need to update log4j libraries for deployed jobs from talend 6.2.1

Sandbox

SDI

Talend Administration Center

Talend Data Integration

Talend Installer

Talend JobServer

Talend Log Server

Talend Remote Engine

Talend Studio

v6.x