Qlik Talend Data Integration: CVE-2020-9493 – Apache Log4j v1.2.17.0 Detected After SecOps Scan

After a recent scan by SecOps team, the same vulnerable files that were previously flagged have reemerged within the system. The vulnerability is rated as critical:

CVE-2020-9493 – Apache Log4j v1.2.17.0
Reference: NVD - CVE-2020-9493

The affected files have been identified in the following locations:

<Studio_Home>/addons/scripts/lucene_migration_tool/lib/lucene-4-8.0.0.jar
<Studio_Home>/addons/scripts/lucene_migration_tool/lib/lucene-8-8.0.0.jar

Cause

This issue arises solely when Talend Studio is installed via the Talend Installer, resulting in the creation of the 'lucene_migration_tool' folder, which contains lucene-4-8.0.0.jar and lucene-8-8.0.0.jar. These Jar files utilize Apache Log4j version 1.2.17.0.

Resolution

Please manually delete the 'lucene_migration_tool' folder from the directory located at '<Studio_Home>/addons/scripts/'. This migration tool is only useful when creating an index from a version lower than Talend Studio 7.2. For further details, please read this documentation page.

Kindly know that the 'lucene_migration_tool' folder will not be created in the new version of Talend Installer.

Internal Investigation ID(s)

SUPPORT-3978

TINSTL-238

Environment

• Talend Studio