Log4j2 Issue (CVE-2021-44228)

Log4j2 Disclosure - CVE-2021-44228

Language
English (United States)

Publication Date: January 24th, 2022 

CVE-2021-44228 and CVE-2021-45046

Talend is aware of the recently disclosed vulnerabilities related to the open-source Apache Software Foundation “Log4j2" utility (reported under CVE-2021-44228 and CVE-2021-45046 as critical severity level). Talend has patched all relevant Products to remedy these vulnerabilities.

Here, you can find additional Product specific information regarding remediation efforts. Certain Talend Products may require configuration changes, which will be shared as they become available. Until deployment of Log4j v2.16, please follow the steps below.

CVE-2021-45105 and CVE-2021-44832

Talend is aware of the recently disclosed medium severity vulnerabilities reported under CVE-2021-45105 and CVE-2021-44832 related to the open-source Apache Software Foundation “Log4j2" utility.

CVE-2021-45105 is only applicable when the logging configuration uses a non-default Pattern Layout with a Context Lookup. By default, Talend Products do not use Context Lookups, meaning the vulnerability is only applicable if the Customer manually changed the logging configuration. For Customers that manually changed the logging configuration, the CVE-2021-45105 vulnerability is addressed in Log4J 2.17.0. For Remote Engine Gen1, CVE-2021-45105, Talend addressed the CVE-2021-45105 vulnerability by updating to Log4J 2.17.0 in version 2.11.7.

CVE-2021-44832 is only applicable when the logging configuration uses a JDBC appender with a JNDI data source, or the log4j configuration is modified by an attacker. Talend products do not use a JDBC appended by default for logging. The CVE-2021-44832 vulnerability is addressed in Log4J 2.17.1.

Both medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.

Apache Log4j Security Vulnerabilities Summary

CVE Number Base 3.x CVSS Score NVD Published Date

Fixed in

Log4j 2.15.0

Fixed in

Log4j 2.16.0

Fixed in

Log4j 2.17.0

Fixed in

Log4j 2.17.1

CVE-2021-44228 10.0 Critical 12/10/2021 Yes Yes Yes Yes
CVE-2021-45046 9.0 Critical 12/14/2021 No Yes Yes Yes
CVE-2021-45105 5.9 Medium 12/14/2021 No No Yes Yes
CVE-2021-44832 6.6 Medium 12/28/2021 No No No Yes

Apache Log4j Security Vulnerabilities