Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
is Talend BD 6.4.1 affected at all by the log4j vulnerability problem?
The Talend installation and workspace directories only contain older versions log4j-1.2.15.jar and log4j-1.2.16.jar.
The log4j problem affects only log4j versions higher than 2.0.
So am I correct that Talend BD 6.4.1 is not affected?
Hello,
Same question for Talend ESB 7.3.1 regarding this official announcement : https://logging.apache.org/log4j/2.x/security.html
And if yes what is the procedure to upgrade the version (not talend just log4j)
My security team is asking the same questions. We are running Talend Cloud Big Data 7.3.1 with Talend Studio 7.3.1 and I would like to understand our exposure to this vulnerability.
We are preparing migration to 7.3.1 and we are waiting also news and recommandation from Talend
Hi all, I'd like to draw your attention to this page on the vulnerability....
https://www.talend.com/security/incident-response/
Yes good: we have applied this fix on our system but since a new log4j vulnerability has been published today : https://nvd.nist.gov/vuln/detail/CVE-2021-45046. Do you have a new workaround ?
Just to be clear, the document linked to above does not list fixes, it lists ways to mitigate for this issue until patches are ready. I have spoken to our Support team and have been informed that the incident-response page is being updated as we speak.
OK thanks for the clarification
Mitigation is NOT remediation. A company like Talend should know this. I suspect they do and just do not care.
Hi @Malcolm O'Callaghan,
If you take a look at the page I pointed to (https://www.talend.com/security/incident-response/) you will see that patches or upgrades have been released for all of our subscription products. The mitigation steps were added to allow people to make their environments as safe as possible while the R&D work was taking place on the patches. These were released as soon as possible.
Some of the many benefits of using the subscription product are that it comes with support, upgrades and patches. The Open Studio product does not. Due to this, there is no "patch" implementation functionality built-in to it. To upgrade, you need to take a new version. When the new version is released, it will contain all of the fixes to these Apache Log4j issues. If you would like to receive the benefit of patches, upgrades and support, I can arrange for one of our sales team to contact you. Please let me know if this is a route that you'd like to take.
Regards
Richard