Headline
CVE-2022-29943: Talend Security
Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.
To accommodate better up-to-date content, all the mitigation technical step section has been moved to the “Log4j2 Issue (CVE-2021-44228)” section of Talend Documentation site. The section is locate at https://document-link.us.cloud.talend.com/talend\_log4j2\_cve\_statement?lang=en&version=latest&env=prd\
Frequently Asked Questions
**Does Talend employ affected versions of Log4j its software?
**Yes. Certain Talend Services use Log4j2 or provide it to customers as part of their Services. Details regarding specific Talend Service versions and steps to address the issues are provided in the Security Incident Response.
**Is Log4j part of any functionality a Talend customer uses when working with Talend?
**Yes.
**Does Talend have a patch available now or when will it be available?
**Patches are specific to Talend Service, the version of the Talend Service, the severity of the risk, and other mitigating controls Talend maintains. While Talend has developed and implemented patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.
How will Talend notify its customers and how will customers receive the patch? We have reached out to Customers via registered support contacts with instructions to monitor the Security Incident response page. This page is updated regularly and is the best source for up-to-date information.
**If Talend is hosting the customers Talend instance, is Talend using Apache Log4j on any of its systems?
**Yes. Certain Talend Services use Log4j2, or provide it to customers as part of their Services.
**What steps has Talend taken to mitigate the threat?
**Since disclosure of the Apache Log4j2 vulnerability, Talend has taken steps to identify all the instances where Apache Log4j2 is utilized within Talend Services, developed, and implemented patches where applicable and as needed, implemented other mitigating controls, and contacted Talend vendors regarding their exposure to Apache Log4j2.
Mitigation efforts, including software patches, are specific to Talend Service, the version of the Talend Service, and the severity of the risk. While Talend has developed patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.
**Is Talend monitoring its systems for any indication of compromise (IOC)?
**Yes.
**Have any of Talend’s 3rd parties been affected by this threat?
**Yes. Part of what makes the Apache log4j2 vulnerability so severe, is its widespread use. Talend is in the process of communicating with critical vendors to coordinate remediation.
Will Talend publish information related to versions which have reached their end of life (e.g. 5.X, 6.X, or earlier 7.X releases)?
Yes. Currently supported products are our priority. To determine if a version is supported or has reached its end-of-life, please refer to Talend’s Product support lifecycle https://www.talend.com/technical-support/support-statements/. Please see summary table above for version-specific information.
**With use of the dynamic distribution feature of Talend to connect with a cluster; is it necessary to rebuild/republish jobs to remediate the log4j vulnerability?
**Yes.
For Talend v7.3 and Talend v8.0, do I need to rebuild my Talend jobs and Routes after
installing the Studio patch?
Yes.