Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
July 15, NEW Customer Portal: Initial launch will improve how you submit Support Cases. IMPORTANT DETAILS
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
SZollikofer
Contributor
Contributor
‎2021-12-13 06:47 AM

log4j vulnerability

Hi,

is Talend BD 6.4.1 affected at all by the log4j vulnerability problem?

The Talend installation and workspace directories only contain older versions log4j-1.2.15.jar and log4j-1.2.16.jar.

The log4j problem affects only log4j versions higher than 2.0.

So am I correct that Talend BD 6.4.1 is not affected?

Labels (2)
Labels
412 Views
13 Replies
JSD03
Contributor III
Contributor III
‎2021-12-13 10:47 AM

Hello,

Same question for Talend ESB 7.3.1 regarding this official announcement : https://logging.apache.org/log4j/2.x/security.html

 

And if yes what is the procedure to upgrade the version (not talend just log4j)

317 Views
0 Likes
MikeBender27
Contributor
Contributor
‎2021-12-13 03:58 PM

My security team is asking the same questions. We are running Talend Cloud Big Data 7.3.1 with Talend Studio 7.3.1 and I would like to understand our exposure to this vulnerability.

317 Views
0 Likes
lfr
Contributor
Contributor
‎2021-12-14 07:29 AM

We are preparing migration to 7.3.1 and we are waiting also news and recommandation from Talend

317 Views
0 Likes
Anonymous
Not applicable
‎2021-12-15 04:50 PM

Hi all, I'd like to draw your attention to this page on the vulnerability....

 

https://www.talend.com/security/incident-response/

317 Views
0 Likes
JSD03
Contributor III
Contributor III
‎2021-12-16 10:37 AM

In response to Anonymous

Yes good: we have applied this fix on our system but since a new log4j vulnerability has been published today : https://nvd.nist.gov/vuln/detail/CVE-2021-45046. Do you have a new workaround ?

317 Views
0 Likes
Anonymous
Not applicable
‎2021-12-16 11:07 AM

In response to JSD03

Just to be clear, the document linked to above does not list fixes, it lists ways to mitigate for this issue until patches are ready. I have spoken to our Support team and have been informed that the incident-response page is being updated as we speak.

317 Views
0 Likes
JSD03
Contributor III
Contributor III
‎2021-12-16 11:23 AM

In response to JSD03

OK thanks for the clarification

317 Views
0 Likes
seaferring
Contributor
Contributor
‎2022-02-07 10:02 AM

In response to Anonymous

Mitigation is NOT remediation. A company like Talend should know this. I suspect they do and just do not care.

317 Views
0 Likes
Anonymous
Not applicable
‎2022-02-07 10:23 AM

In response to seaferring

Hi @Malcolm O'Callaghan​,

 

If you take a look at the page I pointed to (https://www.talend.com/security/incident-response/) you will see that patches or upgrades have been released for all of our subscription products. The mitigation steps were added to allow people to make their environments as safe as possible while the R&D work was taking place on the patches. These were released as soon as possible.

 

Some of the many benefits of using the subscription product are that it comes with support, upgrades and patches. The Open Studio product does not. Due to this, there is no "patch" implementation functionality built-in to it. To upgrade, you need to take a new version. When the new version is released, it will contain all of the fixes to these Apache Log4j issues. If you would like to receive the benefit of patches, upgrades and support, I can arrange for one of our sales team to contact you. Please let me know if this is a route that you'd like to take.

 

Regards

 

Richard

317 Views
0 Likes