TPS-5286 (cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_20220705_TPS-5286_v1-8.0.1 |
Release Date | 2022-07-05 |
Target Version | 20211109_1610-V8.0.1 |
Product affected | Jobserver |
Introduction
This patch is cumulative. It includes all previous generally available patches for Talend Jobserver 8.0.1.
NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.
Fixed issues
This patch contains the following fixes:
- TPS-5039 Mitigate / fix JobServer log4j2 vulnerabilities ( CVE-2021-44228 ) (TPRUN-2701)
- TPRUN-2543 Fix compatibility statement logged at JobServer startup
- TPS-5076 [8.0.1]including the possibility to define the certificate password when defining the SSL on jobserver and runtime (TPRUN-1805)
- TPRUN-2859 JobServer packages superfluous dependency slf4j-log4j12-1.7.32.jar
- TPRUN-3050 Upgrade Ant dependency in JobServer to avoid known vulnerabilities
- TPS-5111 [8.0.1] JMX port 8888 is inactive for runtime from TAC while enabling SSL (TPRUN-2948)
- TPRUN-3106 When archive was deleted, wrong job execution state will be returned.
- TPRUN-3152 JobServer secure mode is off by default.
- TPRUN-1294 Restrict impersonation users by default.
- TPRUN-2214 JobServer package should include a NOTICE file with licenses.
- TPRUN-3405 The FileListener does not jail the path to the jobserver deploy directory.
- TPRUN-3447 Provide info about job name in method for patch job execution command line.
- TPRUN-3508 AuthorizationKey is logged
- TPRUN-3527 Prevent race conditions in Remote Engine Gen1 parallel task execution
- TPRUN-3153 log4jshell fix seems to broke temp directory creator functionality when installing RE as service
- TPRUN-3697 JobServer should close stream of temporary context.
- TPRUN-3604 Unzipper Incorrect size limit check and created files not deleted in case of error
- TPRUN-3777 Non thread safe ClasspathJar writing
- TPRUN-3679 Modularize function required for user impersonation.
- TPS-5286 [8.0.1] Code cleanup & deprecation of 'launchFromShellScript' (TPRUN-3775)
Fixed CVEs
- CVE-2021-44228 ( log4j2 - execute arbitrary code loaded from LDAP servers )
- CVE-2021-44832 ( log4j2 - remote code execution attack in JMSAppender )
- CVE-2021-45046 ( log4j2 - information leak and remote code execution )
- CVE-2021-45105 ( log4j2 - uncontrolled recursion from self-referential lookups )
- CVE-2021-36373 ( Ant TAR )
Prerequisites
Consider the following requirements for your system:
- Talend Jobserver 8.0.1 must be installed.
Installation
- Create a backup for the patched files in
<jobserver_home>/lib
and<jobserver_home>/conf
. - Stop Jobserver
-
Remove files from
<jobserver_home>/lib
: -
log4j-api-*.jar
log4j-core-*.jar
log4j-slf4j-impl-*.jar
org.talend.monitoring-8.0.1*.jar
org.talend.monitoring.server-8.0.1*.jar
org.talend.remote.commons-8.0.1*.jar
org.talend.remote.jobserver.commons-8.0.1*.jar
org.talend.remote.jobserver.server.standalone-8.0.1*.jar
-
org.talend.remote.server-8.0.1*.jar
-
To replace them with their patched counterparts
-
log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-slf4j-impl-2.17.1.jar
org.talend.monitoring-8.0.1.20220705_1450_patch.jar
org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
-
org.talend.remote.server-8.0.1.20220705_1450_patch.jar
-
Remove files from
<jobserver_home>
to replace them with their patched counterparts: -
start_rs.bat
-
start_rs.sh
-
Add the following configuration properties to
<jobserver_home>/conf/TalendJobserver.properties
:
It is recommended to set the following configuration property to true:
# Set to true to enable authorization for all jobserver commands (recommended)
org.talend.remote.jobserver.commons.config.JobServerConfiguration.SECURITY_MODE=true
org.talend.remote.jobserver.server.TalendJobServer.RUN_AS_ALLOWLIST=anybody
RUN_AS_ALLOWLIST | Run as user | Execution | Explanation |
---|---|---|---|
accepted | No impersonation, OK | ||
anybody | accepted | No impersonation, OK | |
anybody | jim | accepted | All users allowed |
* | refused | Must specify a user | |
* | jim | accepted | All users allowed |
jim,jules | refused | Must specify a user from the list | |
jim,jules | jim | accepted | jim is in the list |
ju* | jules | accepted | jules matches ju* |
- Start Jobserver
Uninstallation
- Stop Jobserver.
-
Remove the following files
-
log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-slf4j-impl-2.17.1.jar
org.talend.monitoring-8.0.1.20220705_1450_patch.jar
org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
org.talend.remote.server-8.0.1.20220705_1450_patch.jar
and restore the unpatched counterparts from your backup
log4j-api-*.jar
log4j-core-*.jar
log4j-slf4j-*.jar
org.talend.monitoring-8.0.1*.jar
org.talend.monitoring.server-8.0.1*.jar
org.talend.remote.commons-8.0.1*.jar
org.talend.remote.jobserver.commons-8.0.1*.jar
org.talend.remote.jobserver.server.standalone-8.0.1*.jar
-
org.talend.remote.server-8.0.1*.jar
-
Remove the following files and restore the unpatched counterparts from your backup
-
start_rs.bat
-
start_rs.sh
-
Start Jobserver
Affected files for this patch
The following files are installed into <jobserver_home>/lib
folder by this patch:
log4j-api-2.17.1.jar
log4j-core-2.17.1.jar
log4j-slf4j-impl-2.17.1.jar
org.talend.monitoring-8.0.1.20220705_1450_patch.jar
org.talend.monitoring.server-8.0.1.20220705_1450_patch.jar
org.talend.remote.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.commons-8.0.1.20220705_1450_patch.jar
org.talend.remote.jobserver.server.standalone-8.0.1.20220705_1450_patch.jar
org.talend.remote.server-8.0.1.20220705_1450_patch.jar
The following files are installed into <jobserver_home>
folder by this patch:
start_rs.bat
start_rs.sh
New configuration parameters
org.talend.remote.server.ssl.keyPassword=<jobserver_key_password>
org.talend.jmxmp.ssl.keyPassword=<monitoring_server_key_password>
Removed features
TPRUN-3775
When the option 'org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' was set to 'false' (which is the default value), a script file was generated in : - deployedJobPath/[jobName]/[jobName]_run.bat for Windows - deployedJobPath/[jobName]/[jobName]_run.sh for UNIX
This file will no longer be generated.
Instead, to see executed command please use the debug level log.
Deprecated features
TPRUN-3775
The possibility to launch from shell script using option ''org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' set to 'true' is deprecated and will be removed in end 2022.