Re: log4j vulnerability issue - Qlik Community

krivamsi30 · ‎2022-05-11

Hi Team

We are using TOS 7.3.1 community edition

We are facing an issue with vulnerability with below jar files

Is there any patch on Talend so we can upgrade to remove these vulnerabilities

Need urgent help on fixing this vulnerability issue , with log4j 2.12.1 jar version

We need an upgraded log4j version

What is the latest production version of Talend

Regards

Vamsi Krishna

Anonymous · ‎2022-05-11

Hello,

I’m afraid we do not supply patches for the Open Studio releases. We only provide patches for our subscription products.

The mitigation steps are now located on Talend Help Center

https://help.talend.com/r/EeTpT8r7xmeq1HtTGQBqGA/zX7iWLX6GgxOAjJPlpXNYA

Which provides all the workarounds for studio.

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

Best regards

Sabrina

Todd66 · ‎2022-07-21

What's the issue? Last week, a vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software. My Macys Insite Login

krivamsi30 · ‎2022-07-21

@Xiaodi Shi This should be considered for fixing in open studio too

Anonymous · ‎2022-07-21

Hello,

The latest version of Talend is v8 at the moment. This was released just prior to the Log4j bug, so the Open Studio version does not have the fixes built-in. The subscription v8 products have been patched. You can try upgrading the Log4j libraries that your version of Talend uses. Have you ever seen the “modules” section in the Studio? Here you can add and replace Jars which are used. You could try to replace the Jars affected with fixed Jars. If you try this, it would be best to test it thoroughly in a Studio that is a “throwaway” instance and not one you are currently using for development.

Best regards

Sabrina

Anonymous · ‎2022-07-21

Hello,

Thanks for your suggestion. As Talend 8 version was released prior to the vulnerability being revealed, there would be built-in fixed in the next released for talend open solution.

Best regards

Sabrina

krivamsi30 · ‎2022-07-23

Hi Sabrina

I have tried this solution with 8.0.1 open source, it doesn't work

Every time Talend is opened, it creates these vulnerable jar files

Regards

Vamsi Krishna

Anonymous · ‎2022-07-24

Hello,

Could you please have a look at this topic about Updating a jar file for official Talend components

https://community.talend.com/s/question/0D55b00006K2hIBCAZ/updating-a-jar-file-for-official-talend-c...

We made a testing on V 7.3.1 and it works.

Feel free to post your issue here.

Best regards

Sabrina

Eddy3 · ‎2022-11-16

Hello xdshi,

I have tried updating jar file directly from modules but whenever I open Talend, those old vulnerable jars are created again in backend folders. How can we resolve this?

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\460\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\configuration\org.eclipse.osgi\698\0\.cp\lib\log4j-core-2.12.1.jar

TOS_DI-Win32-20200219_1130-V7.3.1\plugins\org.talend.core_7.3.1.20200217_1338.jar (lib/log4j-core-2.12.1.jar)

Anonymous · ‎2022-11-16

Hello,

Could you please check if the newest vulnerable jars files are showing in the modules view as "installed"?

Best regards

Sabrina

log4j vulnerability issue

Sandbox

Talend Administration Center

Talend Installer

Talend Studio

v7.x