log4j vulnerability issue

krivamsi30 · ‎2022-05-11

Hi Team

We are using TOS 7.3.1 community edition

We are facing an issue with vulnerability with below jar files

Is there any patch on Talend so we can upgrade to remove these vulnerabilities

Need urgent help on fixing this vulnerability issue , with log4j 2.12.1 jar version

We need an upgraded log4j version

What is the latest production version of Talend

Regards

Vamsi Krishna

Eddy3 · ‎2022-11-16

Hello xdshi,

Yes all new jars are installed. Please check below screenshot

But I am still seeing some old log4j installed as well.

And I am also seeing vulnerable jars installed in below folders

jlolling · ‎2022-12-06

First of all, keep calm. The affected issue cannot be used inside a Talend job because the Talend job does not allow (because of it design) to send user defined log messages from anywhere outside the job.

You are NOT in danger!

But unfortunately there are some guys in the companies scanning the projects and blaming you using the out-dated "dangerous" library.

The affected functionality can also simply switched of by a JVM parameter.

Take care you set this: LOG4J_FORMAT_MSG_NO_LOOKUPS=true. as environment variable (usually added to the job with -D)

Sandbox

Talend Administration Center

Talend Installer

Talend Studio

v7.x