
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remove default log4j version and add a new version globally
Hi,
Currently talend uses log4j 2.12 version which has the latest vulnerability discovered. As I can see for each job there is a separate POM file and all those files are using that log4j version. Do I need to manually go to each and every POM file and change it or is there a easy way to change this version to new log4j 2.17.1 version.
https://www.secureworks.com/blog/log4j-vulnerability-faqs# :~:text=rated%20moderate%20severity.-,Version%202.17.,was%20disclosed%20on%20December%2016.
Thank you
- « Previous Replies
-
- 1
- 2
- Next Replies »
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Let us know if these screenshots are broken from your side.
Best regards
Sabrina

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Could you please indicate which talend solution are you using?
Here is online documentation about: TalendHelpCenter: Official statement and remediation efforts for Log4j2 security issue (CVE-2021-442...
Best regards
Sabrina

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Im using talend openstudio 7.4.1.
This is regarding the latest vulnerabilitiy discovered in dec 2021.
CVE-2021-44228 and CVE-2021-45046
When I build the job it automatically takes log4j 2.12.1 version. So I need to manually add 2.17.1 after building the job.
Is there a way to change the default log4j version to new version rather than adding 'nolookups'
Thank you

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Note: The mitigation steps that we have described in the Talend Help apply to TOS as well.
For your use case, you could install the module externally from maven repository.
1.Download the jar from https://mvnrepository.com/artifact/org.apache.logging.log4j
2.select the appropriate jar which needs to be upgraded
3.select the module in TOS
4.Click Detect and install module
Let us know if you can see the latest jar exist when you build the job.
Hope this will help.
Best regards
Sabrina

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do i access this screen.
I think this way is correct.
Thank you

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Let us know if these screenshots are broken from your side.
Best regards
Sabrina

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed it.
Thank you very much

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Great it works. Feel free to let us know if there is any further help we can give.
Best regards
Sabrina

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
can you help me please, it's very important and time critical for our Company.
We need a TOS with log4j 2.x Version whatever DI or BD.
Thank you
Torsten
mailto:torsten.t.schroeder@deutschebahn.com

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Torsten Schröder Hi,
This is the documentation I did for the Log4j Fix
Latest vulnerability related to Log4j is found in below.
RCA: After Talend Zip file is deployed to server, vulnerabilites are scanned from Talend Libraries.
Fix Number 1 : Remove dependencies from Talend Studio itself (Best Option)
- Open Talend Studio
- Navigate to Window → Show View → Other → Modules and click open.
- Module window will be displayed and type “log4j“ in the search bar.
4. Select the necessary dependency and click on the Maven URI.
5. A popup will be open
For windows users all the inbuild dependencies are stored in “C:\Program Files (x86)\TOS_DI-7.4.1\studio\plugins\org.talend.libraries.apache_7.4.1.20201127_0205\lib” folder. Navigate to that folder and delete the old jar version and paste the new jar version.
6. Click … and add the new jar file.
7. Navigate to the folder mention in red color above and select the new jar version.
8. Click “Detect the module install status“ and Click OK.
9. This way you can easily change/update dependencies provided by talend.
10. Once you build the job and extract it and navigate to 'libs' folder you can see that newly updated versions are reflected to the libraries.

- « Previous Replies
-
- 1
- 2
- Next Replies »