Solved: Re: Remove default log4j version and add a new ver... - Qlik Community

heshkaru · ‎2022-03-01

Hi,

Currently talend uses log4j 2.12 version which has the latest vulnerability discovered. As I can see for each job there is a separate POM file and all those files are using that log4j version. Do I need to manually go to each and every POM file and change it or is there a easy way to change this version to new log4j 2.17.1 version.

https://www.secureworks.com/blog/log4j-vulnerability-faqs# :~:text=rated%20moderate%20severity.-,Version%202.17.,was%20disclosed%20on%20December%2016.

Thank you

Anonymous · ‎2022-03-02

Hello,

Let us know if these screenshots are broken from your side.

Best regards

Sabrina

View solution in original post

Anonymous · ‎2022-03-01

Hello,

Could you please indicate which talend solution are you using?

Here is online documentation about: TalendHelpCenter: Official statement and remediation efforts for Log4j2 security issue (CVE-2021-442...

Best regards

Sabrina

heshkaru · ‎2022-03-02

Hi,

Im using talend openstudio 7.4.1.

This is regarding the latest vulnerabilitiy discovered in dec 2021.

CVE-2021-44228 and CVE-2021-45046

When I build the job it automatically takes log4j 2.12.1 version. So I need to manually add 2.17.1 after building the job.

Is there a way to change the default log4j version to new version rather than adding 'nolookups'

Thank you

Anonymous · ‎2022-03-02

Hello,

Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.

For your use case, you could install the module externally from maven repository.

1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j

2.select the appropriate jar which needs to be upgraded

3.select the module in TOS

4.Click Detect and install module

Let us know if you can see the latest jar exist when you build the job.

Hope this will help.

Best regards

Sabrina

heshkaru · ‎2022-03-02

How do i access this screen.

I think this way is correct.

Thank you

Anonymous · ‎2022-03-02

Hello,

Let us know if these screenshots are broken from your side.

Best regards

Sabrina

heshkaru · ‎2022-03-02

Fixed it.

Thank you very much

Anonymous · ‎2022-03-02

Hello,

Great it works. Feel free to let us know if there is any further help we can give.

Best regards

Sabrina

toshi1 · ‎2022-04-01

Hello,

can you help me please, it's very important and time critical for our Company.

We need a TOS with log4j 2.x Version whatever DI or BD.

Thank you

Torsten

mailto:torsten.t.schroeder@deutschebahn.com

heshkaru · ‎2022-04-01

@Torsten Schröder Hi,

This is the documentation I did for the Log4j Fix

Latest vulnerability related to Log4j is found in below.

https://www.secureworks.com/blog/log4j-vulnerability-faqs#:~:text=rated%20moderate%20severity.-,Vers...

RCA: After Talend Zip file is deployed to server, vulnerabilites are scanned from Talend Libraries.

Fix Number 1 : Remove dependencies from Talend Studio itself (Best Option)

Open Talend Studio
Navigate to Window → Show View → Other → Modules and click open.
Module window will be displayed and type “log4j“ in the search bar.

4. Select the necessary dependency and click on the Maven URI.

5. A popup will be open

For windows users all the inbuild dependencies are stored in “C:\Program Files (x86)\TOS_DI-7.4.1\studio\plugins\org.talend.libraries.apache_7.4.1.20201127_0205\lib” folder. Navigate to that folder and delete the old jar version and paste the new jar version.

6. Click … and add the new jar file.

7. Navigate to the folder mention in red color above and select the new jar version.

8. Click “Detect the module install status“ and Click OK.

9. This way you can easily change/update dependencies provided by talend.

10. Once you build the job and extract it and navigate to 'libs' folder you can see that newly updated versions are reflected to the libraries.

Remove default log4j version and add a new version globally

Talend Data Integration

v7.x