Full Installer Release 7.3.1-R2022-09-RT (monthly release cumulative patch)

Caution

This release contains a complete updated Talend ESB Runtime 7.3.1., with its installer. It is not meant to be installed as a patch but as a new ESB runtime installation. All services have to be redeployed on this new installation.

Introduction

This release is a complete ESB runtime setup that would serve as a target version for future monthly patches. It is cumulative, i.e. includes the previous generally available patches from Talend ESB Runtime 7.3.1. as well as the original 7.3.1 ESB runtime setup.

Talend re-issued license emails for all its ESB Runtime 7.3.1 customers, with the appropriate download link according to the product you’ve subscribed to.

IMPORTANT: This cumulative patch includes the fix for CVE-2021-40684, details can be found here https://jira.talendforge.org/browse/SF-141

Installation

Please refer to the installation instructions (https://document-link.us.cloud.talend.com/searchinstallruntime?env=prd&lang=en&version=cl) to install this new runtime.

Please note that a performance regression has been identified with some JDK 11 versions, the recommended version for it is 11.0.16, as updated in the documentation portal.

Fixed issues

This patch contains the following fixes:

TPRUN

• TPRUN-3908: CVE-2022-45589 - SQL injection fix
• TPRUN-4218: class com.ctc.wstx.sw.SimpleNsStreamWriter cannot be cast to class org.codehaus.stax2.XMLStreamWriter2
• TPRUN-4375: R2022-07-RT issue: Deploy/Undeploy is refreshing the other features/bundles
• TPRUN-4293: Use netty-common-4.1.68.Final
• TPRUN-4143: CVE-2022-2048 - Update of Jetty in TESB to 9.4.48
• TPRUN-4408: Align cglib versions in Runtime Container
• TPRUN-4420: Some Runtime features cannot be installed after installing R2022-07-RT
• TPRUN-3544: CXF version upgrade to 3.4.7
• TPRUN-3908: SQL Injection
• TPRUN-3683: Remove MSSQL from the system classpath in Talend ESB
• TPRUN-3597: Runtime Patch causing slow service responses with "UserNameToken" auth.
• TPRUN-3621: Patch_20220408_R2022-04_v2-RT-7.3.1 causing issue in runtime startup
• TPRUN-3585: groovy FastStringUtils uses wrong classloader when executing routes
• TPRUN-3251: [7.3.1] Core framework update: Camel 2.24.2 to 2.25.4
• TPRUN-3432: [7.3.1] Ensure no vulnerable Spring versions are introduced through Karaf feature dependencies.
• TPRUN-3402: Update of jackson-databind in TESB (CVE-2020-36518)
• TPRUN-3422: Change groovy bundles start-level
• TPRUN-3404: [7.3.1] Apply patch with tesb:start-all
• TPRUN-3355: [7.3,R2022-02]ESB resource file not found error
• TPRUN-3065: Feature camel-spring-redis
• TPRUN-3214: Update pax logging to 1.11.15 in Talend ESB runtime
• TPRUN-2601: Make password encryption algorithm configurable + stronger
• TPRUN-2631: Update AlgorithmSuite in etc/org.talend.esb.job.saml.policy
• TPRUN-3234: Duplicated entry on file MANIFEST.MF inside patch R2022-02-RT
• TPRUN-3040: Remove or replace dependencies on log4j version 1.x
• TPRUN-3157: CVE-related update of xstream to 1.4.19
• TPRUN-3047: Log4J Vulnerabilty - ActiveMQ WebConsole embedded on Runtime
• TPRUN-3165: [7.3] Update ant version used with Talend ESB
• TPRUN-3133: SAM with JDK11 and groovy is causing a delay in service response
• TPRUN-3074: Integrate jobserver 7.3.1.20220207_1020_patch
• TPRUN-2228: Jetty update to 9.4.43
• TPRUN-3054: Upgrade groovy to 2.5.13
• TPRUN-2915: Authorization fail for DemoService and DemoConsumerjob with error "No certificates for user"
• TPRUN-3009: Bundle aux-storage-service-rest fails with Exception caught loading external properties
• TPRUN-2553: Connecting to two SAP instances from same ESB container with datasource
• TPRUN-2826: CVE-related update of pax-logging in Talend ESB runtime to 1.11.13
• TPRUN-2823: CVE-related update of Apache security in Talend ESB
• TPRUN-2792: Pax-Logging broken after installing TPS-5061
• TPRUN-2795: client.sh/client.bat file permission wrong in patch TPS-5061
• TPRUN-2699: [CVE] Update of log4j2 and pax-logging because of GHSA-xxfh-x98p-j8fr
• TPRUN-2379: [7.3.1] Handle CVEs for Talend ESB runtime R2021-11
• TPRUN-2323: "Component must have a valid id" when adding <cxf:bus> element in route's spring tab
• TPRUN-2131: The destination File is overridden when option fileExist is set to Append
• TPRUN-1874: Native Library .dll already loaded in another classloader
• TPRUN-1846: ESB Runtime deploys unauthenticated Jolokia by default
• TPRUN-1683: Unable to resolve org.talend.esb.event-logging.elasticsearch-client while installing Runtime patch
• TPRUN-1043: Karaf patch for cve-2020-11980 in Talend ESB runtime 7.3.1
• TPRUN-1235: Update of CXF to 3.3.11
• TPRUN-1234: Update of Jetty to 9.4.39 or later
• TPRUN-1232: Update json-smart(-action) to 2.4.7 in tesb-eventlogging
• TPRUN-1046: Manage default passwords in Runtime: Remove, make changeable and encrypt
• TPRUN-1091: [CVE HIGH] Correct vulnerable transitive dependency of Avro 1.8.2 on commons-compress
• TPRUN-1090: Upgrade XStream to 1.4.17
• TPRUN-1012: When a route is deployed to runtime with talend-data-mapper, it restarts/refreshes all the routes that have been deployed already to runtime
• TPRUN-1099: Error on runtime start: Could not start the servlet context for context path []
• TPRUN-733: [Runtime] Update CXF to 3.3.10 due to CVE-2020-1954
• TPRUN-919: Update XML Graphics dependency in Syncope
• TPRUN-915: Update Apache ActiveMQ to 5.15.15
• APPINT-32936: CVE:Upgrade commons-codec-1.11 to 1.15
• APPINT-32767: cREST overwrite Content-Language header on runtime
• APPINT-32586: Upgrade XStream to 1.4.16
• APPINT-32722: Update Json-smart to 2.4.2
• APPINT-32247: Already deployed Routes get refreshed when deploying/undeploying Route with Groovy
• APPINT-31889: (Runtime) Update Jackson version to 2.11.4
• APPINT-32214: Unexpected logging to Talend ESB Karaf console
• APPINT-32161: Update authorization test keys as they have expired
• APPINT-31681: Don't require keystore configuration if signing events is disabled
• APPINT-31916: CVE: Upgrade Jetty version
• APPINT-31812: Performance issues with Runtime, SAM after upgrade
• APPINT-31736: bean-validator: Unable to initialize 'javax.el.ExpressionFactory'
• APPINT-31470: Error when trying to connect to WebSocket from Runtime
• APPINT-31663: Update BouncyCastle to 1.68 to fix CVE-2020-28052
• APPINT-31578: Issue applying TPS-4527/Patch_20201218_R2020-12_v1-RT-7.3.1: Error downloading mvn:org.bouncycastle/bcprov-jdk15on/1.65
• APPINT-30779: High CPU consumption by ESB routes in 7.3.1 version
• APPINT-30782: Already deployed Routes got refreshed when deploy the Route with camel-bean-validator, camel-aws, etc as dependencies
• APPINT-30580: Update Jackson to 1.9.15-TALEND
• APPINT-30326: Remove camel-quartz dependency from Event Logging
• APPINT-30241: Update Jolokia to 1.6.2
• APPINT-30238: Update Camel features to pick up CVE fixes
• APPINT-30166: Update Snakeyaml to 1.26
• APPINT-30125: Update Cryptacular version
• APPINT-28497: Update Apache Tika to 1.24.1 + Jackrabbit to 2.18.6
• APPINT-31051: No more authentication methods available
• APPINT-30992: Conflicting spifly bundle versions leading to jetty random behaviour
• APPINT-30676: ESB patch doesn't remove all previous talend-data-mapper features
• APPINT-30396: Issue with 'sleep 10' during ESB patch installation
• APPINT-30308: Error Updating talend-data-mapper in Unix
• APPINT-29858: unresolved dependencies [(&(language=js)(objectClass=org.apache.camel.spi.LanguageResolver))] with Java 11
• APPINT-29867: Avoid org.talend.libraries.jmx export META-INF.services
• APPINT-29786: Problems using groovy.json
• APPINT-29133: Update dom4j to 2.1.3
• APPINT-28966: MQTT: consume messages published before client starts up
• APPINT-29278: Swagger UI not getting updated
• APPINT-29223: Unsolicited restart of Talend resources while deploying/undeploying routes
• APPINT-28029: Update to use Spring 5.1.14.RELEASE

TPSVC

• TPRUN-3515: java.lang.ClassNotFoundException: org.talend.remote.commons.msg.client.request.CheckServerMessage cannot be found by org.talend.remote.jobserver.server7.3.1.202203211200_patch
• TPRUN-2345: Harden message deserialization ( backport to 7.3 )
• TPRUN-2464 Error "java.lang.NoClassDefFoundError: org/apache/log4j/Logger" on restarting jobserver after removing log4j-1.2.16.jar
• TPRUN-2543 Fix compatibility statement logged at JobServer startup
• TPRUN-1805 Include the possibility to define the certificate password when defining the SSL on jobserver and runtime
• TPRUN-392 Update vulnerable ANT version in 7.3 JobServer
• TPRUN-326 Change JobServer encryption to use aesGCM
• TPSVC-16933 Update Jackson to 2.11.4 or exclude if not needed
• TPSVC-16967 Update HttpClient version to 4.5.13
• TPSVC-16969 Update Commons IO to 2.8.0
• TPSVC-16934 Update BeanUtils to 1.9.4 and Bouncy Castle Provider to 1.68
• TPSVC-13908 JobServer lifecycle broken in OSGi environments
• TPSVC-16463: Upgrade jobserver dependency libraries version
• TPSVC-14107: Parameter Delimiter tab (\t) treated as string in tFileOuputDelimited if artifact published fromTalend Studio 7.2 and task published in 7.1 updated
• TPS-4318: JobServer memory leak related to ZeroMQ mailbox (TPSVC-12728)

TDM

• TDM-9289 Remove ExecutionProperties from the ExecutionStatus
• TDM-9278 [OldRuntime]Execution status is accumulated when there are multiple executions for a tHMap
• TDM-9226 Null item in JSON array is omitted on output
• TDM-9178 CVE: org.hibernate:hibernate-core:[5.0.9-5.3.20.Final]
• TDM-9033 Add representation options to reduce size of JSON output
• TDM-9029 NullPointerException on Show Document for JSON not matching data
• TDM-9018 tuj can't stopped (job tdmDIColumnsSingleColumn_ParallelizedJob can't be stopped)
• TDM-8946 Add capability to put and get values in a hashmap saved in the Runtime ExecutionProperties
• TDM-8927 One xml structure show as csv get error
• TDM-8903 Expression with combination of 0-scale Decimal and Trim input option fails
• TDM-8951 Restarting ESB Runtime produces 'Resource is not open' error in log
• TDM-8851 Option to wrap the output to the array even if there is a single object
• TDM-8683 Update XStream version used by TDM
• TDM-8856 Remove conflicting bundle mvn:org.talend.transform/org.apache.xml.resolver
• TDM-8843 EDI ISA16 should be used for component repetition, but Talend Studio is using the default of \ instead and not picking up the mapped ':'
• TDM-8810 cMAP - Output is lost if cMap is terminal
• TDM-8761 Eclipse runtime:route of main project use map refer reference project's customer bean throw warning
• TDM-8694 Message with single quote messes the XQuery
• TDM-8681 Security: Upgrade Commons Collections
• TDM-8682 Security: Hibernate dependency
• TDM-8660 EDI Reader not reporting wrong element on certain errors
• TDM-8659 tHMapRecord job run fail use spark 2.3 on 741 which created and works on 721
• TDM-8648 [tHMap]HL7V2 Warnings are not shown in the Run Log when an HL7v2 transformation is used
• TDM-8635 Remove dependency on DQ lib 6.0.1
• TDM-8603 Issue with upgrade to Studio 7.3.1
• TDM-8599 Replace avro-based configuration with regular JSON
• TDM-8580 Job with multiple tRunJob fail with NoClassDefFoundError
• TDM-8574 The specified value cannot be converted to the specified type
• TDM-8571 Can't connect to mysql db with JDK11
• TDM-8524 [internal] Prepare runtime for native compilation and GraalVM
• TDM-8516 Hikari DataSource and associated pool are not closed when route is stopped
• TDM-8484 Json with Map Group,structure can't show as csv
• TDM-8482 JSON Writer produces wrong XML Attributes
• TDM-8446 Facing memory issues with a job using TDM after migrating to 7.1
• TDM-8415 Support Map Group as root when writing Avro datum
• TDM-8409 tHMap with payload output of HL7V2 representation has an NPE execution error
• TDM-8391 JSON: problem to write array of map
• TDM-8364 TDM IO WriteURL broken
• TDM-8363 Map isn't working after "R2020-09" patch installation (Error: "Input to cast cannot be atomized")
• TDM-8359 Warning about overflow is incorrect for negative Cobol numbers
• TDM-8327 NumberFormatException when running an imported project with a Map rep on the output map element
• TDM-8326 Cobol Reader stops on 0xFF values with Variable Blocked format
• TDM-8323 show document for json/xml structure with UTF-8 BOM encoding will return error
• TDM-8318 Cobol Reader should silently truncate records with VB option
• TDM-8308 Implicit Decimal Not In Output
• TDM-8307 High memory usage by TDMEndpoint class in Runtime
• TDM-8293 highlight is not right when show document for json with null element or invisible group
• TDM-8225 cMap throws classcastException and not able to map a property from java bean
• TDM-8217 Warning should not be issued for BTS and FTS segments
• TDM-8210 Unable to MAP HL7 with CSV
• TDM-8198 Export more packages in org.talend.transform.saxonpe.osgi
• TDM-8163 Add new Function FormatDateTime
• TDM-8125 DatabaseLookup creating new DataSources for each message on the ESB
• TDM-8106 Remove dependency on org.codehaus.jackson in JSON io module
• TDM-8094 Databaselookup fails on new runtime unless it is a top-level expression
• TDM-8092 XML Reader should honor encoding set in the XML Representation
• TDM-8089 Problem with camel headers when cJMS and cMap are used
• TDM-8084 [7.3.1] Using thmap is getting an error when using a map with X125050HIPPA structure
• TDM-8074 Field alignment in positional flat file structures
• TDM-7969 TDM adds unencrypted passwords to error message
• TDM-7908 ReadNested within CSV or HashMap Representation fails
• TDM-7789 CSV reader should use the optimization done for the CSV writer
• TDM-7781 Result is incorrect when map attributes from xml to flat
• TDM-7780 Result is incorrect when map attributes from xml to json
• TDM-7427 data type optional segment is in test run result
• TDM-6896 Upgrade Saxon library to 9.9
• TDM-6619 Mapper bundles in state 'Failure' after deployment
• TPS-4793 [7.3.1] cMAP - Output is lost if cMap is terminal (TDM-8810)

Notes

ActiveMQ Web Console is not supported anymore

ESB runtime versions R2022-05 and above are shipped without the activemq-web-console feature. This feature has been removed from the product as a result of security measures taken against the Spring4Shell CVE (CVE-2022-22965).

Enhancement of the SAP connector add-on

The configuration of the "talend-sapjco3-connector" in version 5.5.1 allows to define additional SAP endpoints adding prefixed properties. Here is a sample for an endpoint named "PEERCONNECTIONPOOL":

jco.client.ashost = myfirsthost.example.org
jco.client.sysnr = 00
jco.client.client = 800
jco.client.user = DEVUSRA
jco.client.passwd = ***
jco.client.lang = EN
jco.destination.peak_limit = 10
jco.destination.pool_capacity = 3

endpoint.SAP_PEER_CONNECTION_POOL.jco.client.ashost = mysecondhost.example.org
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.sysnr = 00
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.client = 100
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.user = DEVUSRB
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.passwd = ***
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.lang = EN
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.peak_limit = 10
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.pool_capacity = 3

Default AlgorithmSuite from Basic128Sha256 to Basic256Sha256 (TPRUN-2631)

All AlgorithmSuites of policies with SAML, are updated from Basic128Sha256 to Basic256Sha256 for these features:

• talend-job-controller
• tesb-locator-soap-service
• tesb-sam-service-soap

Configuration can be checked on these files, having value set to SAML:

If services are configured to use SAML:

• you need to ensure external clients (executing out of container) use an updated policy when reaching these endpoints
• you need to manually redeploy artifacts generated from Studio for models exposing/consuming endpoints using Service Locator or Service Activity Monitoring

Default Algorithm for password encryption/decryption (TPRUN-2601)

Algorithm encryption for all ENC(xxx) passwords is upgraded by default to PBEWITHSHA256AND256BITAES-CBC-BC. All passwords declared as ENC(xxx) in configuration files or Talend Administration Center must be regenerated through these commands in Runtime console (please ensure environment variable TESB_ENV_PASSWORD is set):

karaf@trun()> feature:install tesb-encryptor-command
karaf@trun()> tesb:encrypt-text {textToEncrypt}

Algorithm can be configured by setting environment variable TESB_ENV_ALGORITHM. If old ENC(xxx) values are still needed, update the algorithm to previous one by setting environment variable TESB_ENV_ALGORITHM to PBEWITHSHA256AND128BITAES-CBC-BC and restart Runtime.

Vulnerability to SQL injestion attacks

All versions before 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 7.3.1-R2022-09-RT or a later release and use it in place of the previous version. Other Talend ESB Runtime services are not impacted by this vulnerability.