Full Installer Release 8.0.1-R2022-10-RT (monthly release cumulative patch) - 8.0

Version
8.0
Language
English
Product
Talend ESB
Module
Talend ESB
Last publication date
2022-10-26

Full Installer Release 8.0.1-R2022-10-RT (monthly release cumulative patch)

Info Value
Release Name TalendRuntime-8.0.1-R2022-10-RT-linux-x64-installer and TalendRuntime-8.0.1-R2022-10-RT-windows-installer
Release Date 2022-10-26
Product affected Talend ESB Runtime

Caution

This release differs from the previously released monthly patches. It contains a complete updated Talend ESB Runtime 8.0.1, with its installer. It is not meant to be installed as a patch but as a new ESB runtime installation. All services have to be redeployed on this new installation.

Introduction

This version update is cumulative. It includes the previous generally available patches from Talend ESB Runtime 8.0.1, as well as the original 8.0.1 ESB runtime setup. This release is a complete ESB runtime setup that would serve as a target version for future monthly patches.

IMPORTANT: This version includes the fix for CVE-2021-40684, details can be found here https://jira.talendforge.org/browse/SF-141

Installation

Please refer to the installation instructions (https://document-link.us.cloud.talend.com/search_install_runtime?env=prd&lang=en&version=cl) to install this new runtime.

Fixed issues

This version contains the following fixes:

TESB

  • TPRUN-3945: Improper output neutralization of logs
  • TPRUN-3908: CVE-2022-45589 - SQL injection fix
  • TPRUN-4460: Can't set 2 RE and 2 runtime in the same machine
  • TPRUN-4138: Camel 3: issue with "google-pubsub" component
  • TPRUN-4329: CVE-2022-2048 - Update of Jetty in TESB to 9.4.48
  • TPRUN-4381: Remove vulnerable versions of pax-logging from the TESB Karaf system repository
  • TPRUN-4354: CVE: netty-common-4.1.68.Final
  • TPRUN-4270: Integrate TDM-9532
  • TPRUN-4200: Integrate JobServer patches into runtime 8.0 monthly patch
  • TPRUN-4060: Remove MSSQL from the system classpath in Talend ESB
  • TPRUN-4287: Problem with the newest version of Runtime tar.gz file
  • TPRUN-4222: Deploy/Undeploy is refreshing the other features/bundles
  • TPRUN-3354: Investigate message logging in case it is logging the authorization header
  • TPRUN-3474: [8.0.1] Update of jackson-databind in TESB (CVE-2020-36518)
  • TPRUN-3441: [8.0.1] Ensure no vulnerable Spring versions are introduced through Karaf feature dependencies
  • TPRUN-3349: Security update of pax-url to 2.6.11
  • TPRUN-3345: tRestClient - oauth2 - noClassDefFoundError Exception - Data Service
  • TPRUN-2805: Disable Zookeeper AdminServer by default
  • TPRUN-3065: Feature camel-spring-redis
  • TPRUN-3157: CVE-related update of xstream to 1.4.19
  • TPRUN-3214: Update pax logging to 1.11.15 in Talend ESB runtime
  • TPRUN-2601: Make password encryption algorithm configurable + stronger
  • TPRUN-2631: Update AlgorithmSuite in etc/org.talend.esb.job.saml.policy
  • TPRUN-2175: data-source of mysql support only mysql 5
  • TPRUN-2925: Error with zookeeper when deploy REST/Soap service with Service Locator
  • TPRUN-3051: Update ant version used with Talend ESB
  • TPRUN-2228: Update Jetty to 9.4.43 or later
  • TPRUN-2915: Authorization fail for DemoService and DemoConsumerjob with error "No certificates for user"
  • TPRUN-2553: Connecting to two SAP instances from same ESB container with datasource
  • TPRUN-2841: [8.0.1] CVE-related update of Apache security in Talend ESB
  • TPRUN-2840: [8.0.1] CVE-related update of pax-logging in Talend ESB runtime to 1.11.13.
  • TPRUN-2793: [8.0] Missing feature repositories when offline
  • TPRUN-2385: Component must have a valid id when adding cxf:bus element in route's spring tab
  • TPRUN-2849: Runtime Error Installing Patch TPS-5064_v1-RT-8.0.1 error 'setenv.bat does not exist'
  • TPRUN-2699: [CVE] Update of log4j2 and pax-logging because of GHSA-xxfh-x98p-j8fr
  • TPRUN-2546: Setup patch creator for maintenance/8.0

TPSVC

  • TPS-5111 [8.0.1] JMX port 8888 is inactive for runtime from TAC while enabling SSL (TPRUN-2948)
  • TPS-5039 Mitigate / fix JobServer log4j2 vulnerabilities ( CVE-2021-44228 ) (TPRUN-2701)
  • TPRUN-2543 Fix compatibility statement logged at JobServer startup
  • TPS-5076 [8.0.1]including the possibility to define the certificate password when defining the SSL on jobserver and runtime (TPRUN-1805)

TDM

  • TDM-9607: CSV Reader looses tab as delimiter in runtime configuration
  • TDM-9554: Decimal Cobol field of size 18 missing properties when exported to avro
  • TDM-9462: Flattening map not working correctly for EDI 834 document
  • TDM-9137: Move MessageCore to new Bundle org.talend.transform.common
  • TDM-9344: JSON Writer:optional element don't have value needn't show when test run
  • TDM-9379: Remove unused or empty messages
  • TDM-9412: Add Mariadb
  • TDM-9439: Backport translated messages from 8.8.8 to the current 8.0.1 monthly
  • TDM-9405: ConcurrentModificationException - on job data as service in runtime ESB
  • TDM-9380: Remove DirectoryExecMapRuntimeImpl
  • TDM-9298: Remove Importer for java classes and JAR files
  • TDM-9290: Position reported by JSON Importer on errors is sometimes offset by 1
  • TDM-9289: Remove ExecutionProperties from the ExecutionStatus
  • TDM-9278: [OldRuntime]Execution status is accumulated when there are multiple executions for a tHMap
  • TDM-9254: JSON default alternative matcher should accept integer as exact match for Double/Float
  • TDM-9237: JSON Reader encodes ellipsis character
  • TDM-9226: Null item in JSON array is omitted on output
  • TDM-9222: JSON Reader gets stackoverflow with recursive Choice
  • TDM-9215: Fix numeric enumeration in avro export/import completely
  • TDM-9214: Default JSON Choice matcher should use Enum values when available
  • TDM-9203: JSON default choice handler fails on optional array
  • TDM-9201: Cobol Show Document error reporting must be improved
  • TDM-9197: get error when install TDM feature to esb runtime
  • TDM-9174: tuj job tdm_TDMT627_csv_writer is failed with JSON syntax error
  • TDM-9078: Avro exporter fails to export expressions set on Choices
  • TDM-9077: Avro exporter produces wrong operand avroloc within Choices and Alternatives
  • TDM-9043: JSON Reader supporting expressions as discriminators
  • TDM-9033: Add representation options to reduce size of JSON output
  • TDM-8449: Support JSONL
  • TDM-7427: data type optional segment is in test run result

CVE fixes

  • CVE-2022-45589: SQL Injection attacks (TPRUN-3908)
  • CVE-2020-36518: Update of Jackson to 2.13.2, Jackson-databind to 2.13.2.2 (TPRUN-3474)
  • CVE-2022-22965: Update of Spring to 5.3.18 (TPRUN-3441)
  • CVE-2021-43859: Update of XStream to 1.4.19, includes fixes for older XStream CVEs (TPRUN-3157)
  • CVE-2021-44228: Update of Log4j to 2.17.1, pax-logging to 1.11.15 (TPRUN-3214, TPRUN-2701, TPRUN-2699)
  • CVE-2021-36374: Update of Ant to 1.10.12, includes fixes for older Ant CVEs (TPRUN-3051)
  • CVE-2021-34429: Update of Jetty to 9.4.43.v20210629, includes fixes for older Jetty CVEs (TPRUN-2228)
  • CVE-2021-40690: Update of Apache xmlsec to 2.2.3, includes fixes for older xmlsec CVEs (TPRUN-2841)
  • CVE-2022-2048: Update of Jetty to 9.4.48 (TPRUN-4329)
  • CVE-2022-24823: Update of Netty to 4.1.68 (TPRUN-4354)
  • CVE-2020-36518: Update of Jackson-databind to 2.13.2.2 (TPRUN-3474)

Notes

Support for OpenJDK 11

The recommended version of the OpenJDK 11 is 11.0.6 or higher.

Enhancement of the SAP connector add-on

The configuration of the "talend-sapjco3-connector" in version 5.5.1 allows to define additional SAP endpoints adding prefixed properties. Here is a sample for an endpoint named "PEER_CONNECTION_POOL": 

jco.client.ashost = myfirsthost.example.org
jco.client.sysnr = 00
jco.client.client = 800
jco.client.user = DEVUSRA
jco.client.passwd = ***
jco.client.lang = EN
jco.destination.peak_limit = 10
jco.destination.pool_capacity = 3

endpoint.SAP_PEER_CONNECTION_POOL.jco.client.ashost = mysecondhost.example.org
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.sysnr = 00
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.client = 100
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.user = DEVUSRB
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.passwd = ***
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.lang = EN
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.peak_limit = 10
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.pool_capacity = 3

Datasources names updated default values (TPRUN-2175)

All features tesb-datasource-<database> have been updated to use updated default aliases ds-{database} instead of jdbc/sam. If any Studio models are still using jdbc/sam aliases, update the related configuration file {container}/etc/org.talend.esb.datasource.{database}.cfg to add the property: 

datasource.jndi=ds-{database}
https://help.talend.com/r/tez87K9J65Ah64Rult_SAQ/K0Z7zYfpde~Qfq6zL7hzlQ

This feature doesn't impact manually deployed blueprints declaring data sources.

Default AlgorithmSuite from Basic128Sha256 to Basic256Sha256 (TPRUN-2631)

All AlgorithmSuites of policies with SAML, are updated from Basic128Sha256 to Basic256Sha256 for these features: - talend-job-controller - tesb-locator-soap-service - tesb-sam-service-soap

Configuration can be checked on these files, having value set to SAML:

Configuration file Configuration key/value with SAML Impacted endpoint
etc/org.talend.esb.locator.service.cfg locator.authentication = SAML http://localhost:8040/services/ServiceLocatorService
etc/org.talend.esb.sam.service.soap.cfg sam.service.soap.authentication = SAML http://localhost:8040/services/MonitoringServiceSOAP

If services are configured to use SAML: - you need to ensure external clients (executing out of container) use an updated policy when reaching these endpoints - you need to manually redeploy artifacts generated from Studio for models exposing/consuming endpoints using Service Locator or Service Activity Monitoring

Default Algorithm for password encryption/decryption (TPRUN-2601)

Algorithm encryption for all ENC(xxx) passwords is upgraded by default to PBEWITHSHA256AND256BITAES-CBC-BC. All passwords declared as ENC(xxx) in configuration files or Talend Administration Center must be regenerated through these commands in Runtime console (please ensure environment variable TESB_ENV_PASSWORD is set): 

karaf@trun()> feature:install tesb-encryptor-command
karaf@trun()> tesb:encrypt-text {textToEncrypt}

Algorithm can be configured by setting environment variable TESB_ENV_ALGORITHM. If old ENC(xxx) values are still needed, update the algorithm to previous one by setting environment variable TESB_ENV_ALGORITHM to PBEWITHSHA256AND128BITAES-CBC-BC and restart Runtime.

Disable Zookeeper AdminServer by default (TPRUN-2805)

Zookeeper AdminServer feature is now disabled by default, Service Locator feature is not impacted. To reactivate this feature for embedded zookeeper in Runtime: - edit {container}/bin/setenv or {container}/bin/setenv.bat and change values 

-Dzookeeper.admin.enableServer=true Dzookeeper.admin.serverPort={AVAILABLE PORT}

To reactivate this feature for standalone zookeeper provided with Talend-ESB: - edit Talend-ESB-V8.0.1/zookeeper/conf/zoo.cfg and add/change values 

zookeeper.admin.enableServer=true
zookeeper.admin.serverPort={AVAILABLE PORT}

Vulnerability to SQL injestion attacks

All versions before 8.0.1-R2022-10-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or a later release and use it in place of the previous version. Other Talend ESB Runtime services are not impacted by this vulnerability.