Publication Date: January 24th, 2022
Important: For more recent security updates, see the Trust Center Updates section on Talend Security Portal. Subscribe to the Trust Center Updates to be notified by email when a security update is published.
CVE-2021-44228 and CVE-2021-45046
Talend is aware of the recently disclosed vulnerabilities related to the open-source Apache Software Foundation “Log4j2" utility (reported under CVE-2021-44228 and CVE-2021-45046 as critical severity level). Talend has patched all relevant Products to remedy these vulnerabilities.
Here, you can find additional Product specific information regarding remediation efforts. Certain Talend Products may require configuration changes, which will be shared as they become available. Until deployment of Log4j v2.16, please follow the steps below.
CVE-2021-45105 and CVE-2021-44832
Talend is aware of the recently disclosed medium severity vulnerabilities reported under CVE-2021-45105 and CVE-2021-44832 related to the open-source Apache Software Foundation “Log4j2" utility.
CVE-2021-45105 is only applicable when the logging configuration uses a non-default Pattern Layout with a Context Lookup. By default, Talend Products do not use Context Lookups, meaning the vulnerability is only applicable if the Customer manually changed the logging configuration. For Customers that manually changed the logging configuration, the CVE-2021-45105 vulnerability is addressed in Log4J 2.17.0. For Remote Engine Gen1, CVE-2021-45105, Talend addressed the CVE-2021-45105 vulnerability by updating to Log4J 2.17.0 in version 2.11.7.
CVE-2021-44832 is only applicable when the logging configuration uses a JDBC appender with a JNDI data source, or the log4j configuration is modified by an attacker. Talend products do not use a JDBC appended by default for logging. The CVE-2021-44832 vulnerability is addressed in Log4J 2.17.1.
Both medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.
If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.
Apache Log4j Security Vulnerabilities Summary
| CVE Number | Base 3.x CVSS Score | NVD Published Date | Fixed in Log4j 2.15.0 |
Fixed in Log4j 2.16.0 |
Fixed in Log4j 2.17.0 |
Fixed in Log4j 2.17.1 |
|---|---|---|---|---|---|---|
| CVE-2021-44228 | 10.0 Critical | 12/10/2021 | Yes | Yes | Yes | Yes |
| CVE-2021-45046 | 9.0 Critical | 12/14/2021 | No | Yes | Yes | Yes |
| CVE-2021-45105 | 5.9 Medium | 12/14/2021 | No | No | Yes | Yes |
| CVE-2021-44832 | 6.6 Medium | 12/28/2021 | No | No | No | Yes |