TPS-5286 (cumulative patch) - 8.0

Version
8.0
Language
English (United States)
Product
Talend Big Data
Talend Data Fabric
Module
Talend JobServer

TPS-5286 (cumulative patch)

Info Value
Patch Name Patch_20220705_TPS-5286_v1-8.0.1
Release Date 2022-07-05
Target Version 20211109_1610-V8.0.1
Product affected Jobserver

Introduction

This patch is cumulative. It includes all previous generally available patches for Talend Jobserver 8.0.1.

NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.

Fixed issues

This patch contains the following fixes:

  • TPS-5039 Mitigate / fix JobServer log4j2 vulnerabilities ( CVE-2021-44228 ) (TPRUN-2701)
  • TPRUN-2543 Fix compatibility statement logged at JobServer startup
  • TPS-5076 [8.0.1]including the possibility to define the certificate password when defining the SSL on jobserver and runtime (TPRUN-1805)
  • TPRUN-2859 JobServer packages superfluous dependency slf4j-log4j12-1.7.32.jar
  • TPRUN-3050 Upgrade Ant dependency in JobServer to avoid known vulnerabilities
  • TPS-5111 [8.0.1] JMX port 8888 is inactive for runtime from TAC while enabling SSL (TPRUN-2948)
  • TPRUN-3106 When archive was deleted, wrong job execution state will be returned.
  • TPRUN-3152 JobServer secure mode is off by default.
  • TPRUN-1294 Restrict impersonation users by default.
  • TPRUN-2214 JobServer package should include a NOTICE file with licenses.
  • TPRUN-3405 The FileListener does not jail the path to the jobserver deploy directory.
  • TPRUN-3447 Provide info about job name in method for patch job execution command line.
  • TPRUN-3508 AuthorizationKey is logged
  • TPRUN-3527 Prevent race conditions in Remote Engine Gen1 parallel task execution
  • TPRUN-3153 log4jshell fix seems to broke temp directory creator functionality when installing RE as service
  • TPRUN-3697 JobServer should close stream of temporary context.
  • TPRUN-3604 Unzipper Incorrect size limit check and created files not deleted in case of error
  • TPRUN-3777 Non thread safe ClasspathJar writing
  • TPRUN-3679 Modularize function required for user impersonation.
  • TPS-5286 [8.0.1] Code cleanup & deprecation of 'launchFromShellScript' (TPRUN-3775)

Fixed CVEs

Prerequisites

Consider the following requirements for your system:

  • Talend Jobserver 8.0.1 must be installed.

Installation

  1. Create a backup for the patched files in <jobserver_home>/lib and <jobserver_home>/conf.
  2. Stop Jobserver
  3. Remove files from <jobserver_home>/lib:

  4. log4j-api-*.jar

  5. log4j-core-*.jar
  6. log4j-slf4j-impl-*.jar
  7. org.talend.monitoring-8.0.1*.jar
  8. org.talend.monitoring.server-8.0.1*.jar
  9. org.talend.remote.commons-8.0.1*.jar
  10. org.talend.remote.jobserver.commons-8.0.1*.jar
  11. org.talend.remote.jobserver.server.standalone-8.0.1*.jar
  12. org.talend.remote.server-8.0.1*.jar

  13. To replace them with their patched counterparts

  14. log4j-api-2.17.1.jar

  15. log4j-core-2.17.1.jar
  16. log4j-slf4j-impl-2.17.1.jar
  17. org.talend.monitoring-8.0.1.20220705_1450_patch.jar
  18. org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
  19. org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
  20. org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
  21. org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
  22. org.talend.remote.server-8.0.1.20220705_1450_patch.jar

  23. Remove files from <jobserver_home> to replace them with their patched counterparts:

  24. start_rs.bat

  25. start_rs.sh

  26. Add the following configuration properties to <jobserver_home>/conf/TalendJobserver.properties:

It is recommended to set the following configuration property to true:

# Set to true to enable authorization for all jobserver commands (recommended)
org.talend.remote.jobserver.commons.config.JobServerConfiguration.SECURITY_MODE=true
and
org.talend.remote.jobserver.server.TalendJobServer.RUN_AS_ALLOWLIST=anybody
RUN_AS_ALLOWLIST Run as user Execution Explanation
accepted No impersonation, OK
anybody accepted No impersonation, OK
anybody jim accepted All users allowed
* refused Must specify a user
* jim accepted All users allowed
jim,jules refused Must specify a user from the list
jim,jules jim accepted jim is in the list
ju* jules accepted jules matches ju*
  1. Start Jobserver

Uninstallation

  1. Stop Jobserver.
  2. Remove the following files

  3. log4j-api-2.17.1.jar

  4. log4j-core-2.17.1.jar
  5. log4j-slf4j-impl-2.17.1.jar
  6. org.talend.monitoring-8.0.1.20220705_1450_patch.jar
  7. org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
  8. org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
  9. org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
  10. org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
  11. org.talend.remote.server-8.0.1.20220705_1450_patch.jar

and restore the unpatched counterparts from your backup

  • log4j-api-*.jar
  • log4j-core-*.jar
  • log4j-slf4j-*.jar
  • org.talend.monitoring-8.0.1*.jar
  • org.talend.monitoring.server-8.0.1*.jar
  • org.talend.remote.commons-8.0.1*.jar
  • org.talend.remote.jobserver.commons-8.0.1*.jar
  • org.talend.remote.jobserver.server.standalone-8.0.1*.jar
  • org.talend.remote.server-8.0.1*.jar

  • Remove the following files and restore the unpatched counterparts from your backup

  • start_rs.bat

  • start_rs.sh

  • Start Jobserver

Affected files for this patch

The following files are installed into <jobserver_home>/lib folder by this patch:

  • log4j-api-2.17.1.jar
  • log4j-core-2.17.1.jar
  • log4j-slf4j-impl-2.17.1.jar
  • org.talend.monitoring-8.0.1.20220705_1450_patch.jar
  • org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
  • org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
  • org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
  • org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
  • org.talend.remote.server-8.0.1.20220705_1450_patch.jar

The following files are installed into <jobserver_home> folder by this patch:

  • start_rs.bat
  • start_rs.sh

New configuration parameters

org.talend.remote.server.ssl.keyPassword=<jobserver_key_password>
org.talend.jmxmp.ssl.keyPassword=<monitoring_server_key_password>

Removed features

TPRUN-3775

When the option 'org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' was set to 'false' (which is the default value), a script file was generated in : - deployedJobPath/[jobName]/[jobName]_run.bat for Windows - deployedJobPath/[jobName]/[jobName]_run.sh for UNIX

This file will no longer be generated.
Instead, to see executed command please use the debug level log.

Deprecated features

TPRUN-3775

The possibility to launch from shell script using option ''org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' set to 'true' is deprecated and will be removed in end 2022.