Skip to main content
Announcements
A fresh, new look for the Data Integration & Quality forums and navigation! Read more about what's changed.
cancel
Showing results for 
Search instead for 
Did you mean: 
heshkaru
Creator

Remove default log4j version and add a new version globally

Hi,

Currently talend uses log4j 2.12 version which has the latest vulnerability discovered. As I can see for each job there is a separate POM file and all those files are using that log4j version. Do I need to manually go to each and every POM file and change it or is there a easy way to change this version to new log4j 2.17.1 version.

https://www.secureworks.com/blog/log4j-vulnerability-faqs# :~:text=rated%20moderate%20severity.-,Version%202.17.,was%20disclosed%20on%20December%2016.

Thank you

Labels (2)
1 Solution

Accepted Solutions
Anonymous
Not applicable

Hello,

Let us know if these screenshots are broken from your side.

 

0695b00000ODVQWAA5.png0695b00000ODVQMAA5.pngBest regards

Sabrina

View solution in original post

11 Replies
Anonymous
Not applicable

Hello,

Could you please indicate which talend solution are you using?

Here is online documentation about: TalendHelpCenter: Official statement and remediation efforts for Log4j2 security issue (CVE-2021-442...

Best regards

Sabrina

 

heshkaru
Creator
Author

Hi,

Im using talend openstudio 7.4.1.

This is regarding the latest vulnerabilitiy discovered in dec 2021.

CVE-2021-44228 and CVE-2021-45046

 

When I build the job it automatically takes log4j 2.12.1 version. So I need to manually add 2.17.1 after building the job.

 

Is there a way to change the default log4j version to new version rather than adding 'nolookups'

 

Thank you

Anonymous
Not applicable

Hello,

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

For your use case, you could install the module externally from maven repository.

1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j

2.select the appropriate jar which needs to be upgraded

3.select the module in TOS

0695b00000LxbytAAB.png 

0695b00000LxbNFAAZ.png4.Click Detect and install module

Let us know if you can see the latest jar exist when you build the job.

Hope this will help.

Best regards

Sabrina

 

heshkaru
Creator
Author

How do i access this screen.

I think this way is correct.

 

Thank you

Anonymous
Not applicable

Hello,

Let us know if these screenshots are broken from your side.

 

0695b00000ODVQWAA5.png0695b00000ODVQMAA5.pngBest regards

Sabrina

heshkaru
Creator
Author

Fixed it.

Thank you very much

Anonymous
Not applicable

Hello,

Great it works. Feel free to let us know if there is any further help we can give.

Best regards

Sabrina

 

toshi1
Contributor

 

Hello,

can you help me please, it's very important and time critical for our Company.

We need a TOS with log4j 2.x Version whatever DI or BD.

Thank you

Torsten

mailto:torsten.t.schroeder@deutschebahn.com

 

heshkaru
Creator
Author

@Torsten Schröder​ Hi,

This is the documentation I did for the Log4j Fix

 

Latest vulnerability related to Log4j is found in below.

https://www.secureworks.com/blog/log4j-vulnerability-faqs#:~:text=rated%20moderate%20severity.-,Vers...

RCA: After Talend Zip file is deployed to server, vulnerabilites are scanned from Talend Libraries.

Fix Number 1 : Remove dependencies from Talend Studio itself (Best Option)

  1. Open Talend Studio
  2. Navigate to Window → Show View → Other → Modules and click open.
  3. Module window will be displayed and type “log4j“ in the search bar.

 

4. Select the necessary dependency and click on the Maven URI.

5. A popup will be open

 

For windows users all the inbuild dependencies are stored in “C:\Program Files (x86)\TOS_DI-7.4.1\studio\plugins\org.talend.libraries.apache_7.4.1.20201127_0205\lib” folder. Navigate to that folder and delete the old jar version and paste the new jar version.

6. Click … and add the new jar file.

7. Navigate to the folder mention in red color above and select the new jar version.

 

8. Click “Detect the module install status“ and Click OK.

9. This way you can easily change/update dependencies provided by talend.

10. Once you build the job and extract it and navigate to 'libs' folder you can see that newly updated versions are reflected to the libraries.