TPS-5360 (cumulative patch) - 8.0

Talend Big Data
Talend Data Fabric
Talend JobServer
Last publication date

TPS-5360 (cumulative patch)

Info Value
Patch Name Patch_20221118_TPS-5360_v1-8.0.1
Release Date 2022-11-18
Target Version 20211109_1610-V8.0.1
Product affected Jobserver


This patch is cumulative. It includes all previous generally available patches for Talend Jobserver 8.0.1.

NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.

Fixed issues

This patch contains the following fixes:

  • TPS-5039 Mitigate / fix JobServer log4j2 vulnerabilities ( CVE-2021-44228 ) (TPRUN-2701)
  • TPRUN-2543 Fix compatibility statement logged at JobServer startup
  • TPS-5076 [8.0.1]including the possibility to define the certificate password when defining the SSL on jobserver and runtime (TPRUN-1805)
  • TPRUN-2859 JobServer packages superfluous dependency slf4j-log4j12-1.7.32.jar
  • TPRUN-3050 Upgrade Ant dependency in JobServer to avoid known vulnerabilities
  • TPS-5111 [8.0.1] JMX port 8888 is inactive for runtime from TAC while enabling SSL (TPRUN-2948)
  • TPRUN-3106 When archive was deleted, wrong job execution state will be returned.
  • TPRUN-3152 JobServer secure mode is off by default.
  • TPRUN-1294 Restrict impersonation users by default.
  • TPRUN-2214 JobServer package should include a NOTICE file with licenses.
  • TPRUN-3405 The FileListener does not jail the path to the jobserver deploy directory.
  • TPRUN-3447 Provide info about job name in method for patch job execution command line.
  • TPRUN-3508 AuthorizationKey is logged
  • TPRUN-3527 Prevent race conditions in Remote Engine Gen1 parallel task execution
  • TPRUN-3153 log4jshell fix seems to broke temp directory creator functionality when installing RE as service
  • TPRUN-3697 JobServer should close stream of temporary context.
  • TPRUN-3604 Unzipper Incorrect size limit check and created files not deleted in case of error
  • TPRUN-3777 Non thread safe ClasspathJar writing
  • TPRUN-3679 Modularize function required for user impersonation.
  • TPS-5286 [8.0.1] Code cleanup & deprecation of 'launchFromShellScript' (TPRUN-3775)
  • TPRUN-3605 JobServer - Unzipper add limits for nesting and path length
  • TPRUN-3784 Update JobServer configuration/docs related to TLS version
  • TPRUN-3948 Align versions of JAVA source/target, dependencies and plugins on pom(s).xml
  • TPRUN-3790 Update Studio Utils to 1.0.8
  • TPS-5360 [8.0.1] JobServer File server has no authentication. (TPRUN-3518)
  • TPRUN-4022 Update patch creation process
  • TPRUN-3916 Use RockyLinux as base image for JobServer docker in tests
  • TPRUN-4131 Check Zip Slip and Zip Symlink vulnerabilities
  • TPRUN-4203 A fatal error has been detected by the Java Runtime Environment
  • TPRUN-4126 Upgrade to OSHI 6.2.2
  • TPRUN-3836 Improve error message in case Job archive checks fail
  • TPRUN-3523 Add ability to disable the monitoring service
  • TPRUN-1740 Simplify approach to let users install patches and (windows) services
  • TPRUN-4023 Reduce merging pain between active branches due to different logging framework
  • TPRUN-4238 Attempt to publish a large job (while FileServer authentication is available?) causes a command server timeout
  • TPRUN-4267 Folder name length check not working for ZIP without folder entries
  • TPRUN-4203 A fatal error has been detected by the Java Runtime Environment: # # SIGBUS (0x7) at pc=0x00007ff897dfc37d, pid=553, tid=0x00007ff89f0fe700
  • TPRUN-4400 JobServer client checkServer returns wrong compatibility info
  • TPRUN-4255 Do not log warnings when properties are not set but default value exists
  • TPRUN-4355 Ensure Copyright is up-to-date for JAVA classes with UnitTesting
  • TPRUN-4269 After Unzipper Exception partially unzipped file remain
  • TPRUN-3519 Add constraints on jobs to prevent DoS attacks
  • TPS-5371 [8.0.1] Adding File path traversal guard and upgrade common-text due to CVS (TPRUN-4050)
  • TPRUN-4515 Delete deployedJobPath directory before re-deploying
  • TPRUN-4486 JobServer - Cleanings
  • TPRUN-4447 JobServer start_jconsole.bat script has wrong classpath
  • TPRUN-4761 Issue with FileEventsPacket

Fixed CVEs


Consider the following requirements for your system:

  • Talend Jobserver 8.0.1 must be installed.


  1. Create a backup for the patched files in <jobserver_home>/lib and <jobserver_home>/conf.
  2. Stop Jobserver
  3. Remove files from <jobserver_home>/lib:

  4. log4j-api-*.jar

  5. log4j-core-*.jar
  6. log4j-slf4j-impl-*.jar
  7. org.talend.monitoring-8.0.1*.jar
  8. org.talend.monitoring.server-8.0.1*.jar
  9. org.talend.remote.commons-8.0.1*.jar
  10. org.talend.remote.jobserver.commons-8.0.1*.jar
  11. org.talend.remote.jobserver.server.standalone-8.0.1*.jar
  12. org.talend.remote.server-8.0.1*.jar
  13. studio-utils-1.0.5.jar
  14. oshi-core-4.0.0.jar
  15. jna-5.4.0.jar
  16. jna-platform-5.4.0.jar
  17. commons-text-*.jar
  18. slf4j-api-*.jar

  19. To replace them with their patched counterparts

  20. log4j-api-2.17.1.jar

  21. log4j-core-2.17.1.jar
  22. log4j-slf4j-impl-2.17.1.jar
  23. org.talend.monitoring-
  24. org.talend.monitoring.server-
  25. org.talend.remote.commons-
  26. org.talend.remote.jobserver.commons-
  27. org.talend.remote.jobserver.server.standalone-
  28. org.talend.remote.server-
  29. studio-utils-1.0.8.jar
  30. oshi-core-6.2.2.jar
  31. jna-5.12.1.jar
  32. jna-platform-5.12.1.jar
  33. commons-text-1.10.0.jar
  34. slf4j-api-1.7.32.jar

  35. Remove files from <jobserver_home> to replace them with their patched counterparts:

  36. start_rs.bat

  38. start_jconsole.bat

  39. Recommended change of following configuration properties in /conf/ in case you use SSL:

    # Enabled protocols for JobServer socket communication
    # Enabled protocols for JMX management server

  40. Recommended to set following configuration property to false in case you want to disable the Monitoring Port 8888:
    # Enable the Monitoring port or not. true by default
  41. Add the following configuration properties to <jobserver_home>/conf/

It is recommended to set the following configuration property to true:

# Set to true to enable authorization for all jobserver commands (recommended)

The following configuration property enables authorization for all job file deployments. This requires that on client-side ( TAC, Studio ) support for file server authorization must be available and the system property org.talend.remote.jobserver.client.old has be set to false. For more details refer to the documentation.

# Set to true to enable authorization for all job file deployments.
( Requires additional configuration for TAC and Studio. )

The following configuration have been added to add constraints on job to prevent Denial Of Service attacks. High default have been defined, it is recommended to adapt these to your environment.

# Maximum number of file listeners, 0 = No limit

# Maximum number of library dependencies embedded in a job
# Maximum size of all library dependency names for a job

# Maximum number of deployed jobs, 0 = No Limit

# Max size that a job archive is allowed to be. The default is 1G, 0 = No limit

# Maximum size of TalendJobServersFiles/archiveJobs folder, 0 = No limit, 0 = No Limit
  1. An empty allow list for impersonation users is not supported anymore. If you want to allow impersonation for anyone and support jobs running without impersonation, you need to explicitly set:
    Please refer to the following examples to understand this setting:
RUN_AS_ALLOWLIST Run as user Execution Explanation
accepted No impersonation, OK
anybody accepted No impersonation, OK
anybody jim accepted All users allowed
* refused Must specify a user
* jim accepted All users allowed
jim,jules refused Must specify a user from the list
jim,jules jim accepted jim is in the list
ju* jules accepted jules matches ju*
  1. Check Read, Write & Execution rights on files

Per default, the rights should be: - rw-r--r-- (i.e. 0664) per default, meaning everybody can read, but only the owner can overwrite the file - rwxr-xr-x (i.e. 0655) for *.sh files, meaning everybody can read & execute, but only the owner can overwrite the file

If needed, feel free to update these rights to match your current installation environment.
Especially to allow further patch updates by a non-owner user, you might want to allow other users to have Write access.

  1. Start Jobserver


  1. Stop Jobserver.
  2. Remove the following files

  3. log4j-api-2.17.1.jar

  4. log4j-core-2.17.1.jar
  5. log4j-slf4j-impl-2.17.1.jar
  6. org.talend.monitoring-
  7. org.talend.monitoring.server-
  8. org.talend.remote.commons-
  9. org.talend.remote.jobserver.commons-
  10. org.talend.remote.jobserver.server.standalone-
  11. org.talend.remote.server-
  12. studio-utils-1.0.8.jar
  13. oshi-core-6.2.2.jar
  14. jna-5.12.1.jar
  15. jna-platform-5.12.1.jar
  16. commons-text-1.10.0.jar
  17. slf4j-api-1.7.32.jar

and restore the unpatched counterparts from your backup

  • log4j-api-*.jar
  • log4j-core-*.jar
  • log4j-slf4j-*.jar
  • org.talend.monitoring-8.0.1*.jar
  • org.talend.monitoring.server-8.0.1*.jar
  • org.talend.remote.commons-8.0.1*.jar
  • org.talend.remote.jobserver.commons-8.0.1*.jar
  • org.talend.remote.jobserver.server.standalone-8.0.1*.jar
  • org.talend.remote.server-8.0.1*.jar
  • studio-utils-1.0.5.jar
  • oshi-core-*.jar
  • jna-*.jar
  • jna-platform-*.jar
  • commons-text-*.jar
  • slf4j-api-*.jar

  • Remove the following files and restore the unpatched counterparts from your backup

  • start_rs.bat

  • start_jconsole.bat

  • Start Jobserver

Affected files for this patch

The following files are installed into <jobserver_home>/lib folder by this patch:

  • log4j-api-2.17.1.jar
  • log4j-core-2.17.1.jar
  • log4j-slf4j-impl-2.17.1.jar
  • org.talend.monitoring-
  • org.talend.monitoring.server-
  • org.talend.remote.commons-
  • org.talend.remote.jobserver.commons-
  • org.talend.remote.jobserver.server.standalone-
  • org.talend.remote.server-
  • studio-utils-1.0.8.jar
  • oshi-core-6.2.2.jar
  • jna-5.12.1.jar
  • jna-platform-5.12.1.jar

The following files are installed into <jobserver_home> folder by this patch:

  • start_rs.bat
  • start_jconsole.bat

New configuration parameters




( Requires additional configuration for TAC and Studio. )

Removed features


When the option 'org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' was set to 'false' (which is the default value), a script file was generated in : - deployedJobPath/[jobName]/[jobName]_run.bat for Windows - deployedJobPath/[jobName]/[jobName] for UNIX

This file will no longer be generated.
Instead, to see executed command please use the debug level log.

Deprecated features


The possibility to launch from shell script using option ''org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT' set to 'true' is deprecated and will be removed in end 2022.