Security incident response information

This page has been deprecated since May 17, 2023 and updates have been discontinued.

The latest Talend Product CVEs can be found in the Talend Help Center and Security Bulletin announcements in the Security Portal.

UPDATED APRIL, 2023

Talend security advisories

CVE-2023-31444
CVE-2023-26263 and CVE-2023-26264
CVE-2022-45588 and CVE-2022-45589
Okta code repository breach disclosure
CVE-2022-3602 and CVE-2022-3786 Vulnerabilities in OpenSSL 3.0.x
Apache Commons Text variable interpolation (CVE-2022-42889)

CVE-2022-31648
CVE-2022-29942 and CVE-2022-29943
Spring4Shell (CVE 2022-22965; CVE-2022-22963)
CVE-2021-40684 and CVE-2021-42837
Log4j2 Issue (CVE-2021-44228)

Publication date: April 28, 2023

CVE-2023-31444

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2023-31444	🟥 High	Talend Studio microservices allow unauthenticated access to the Jolokia endpoint of the microservice. This allows for remote access to the JVM via the Jolokia JMX-HTTP bridge. Please note that only Talend Studio microservice deployments are impacted, Talend Studio itself and other Talend Studio components are not impacted. The ESB Runtime is also not impacted. Please update to at least versions 8.0.1-R2022-09 or 7.3.1-R2022-10 to fix the issue	8.0.1-R2022-09 7.3.1-R2022-10	04/28/2023	Read more

Publication date: March 28, 2023

CVE-2023-26263 and CVE-2023-26264

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2023-26264	🟧 Medium	All versions before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. Users of Talend Data Catalog should upgrade to 8.0-20220907 or a later release.	8.0-20220907	04/21/2023	Read more
CVE-2023-26263	🟧 Medium	All versions before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. Users of Talend Data Catalog who are using the remote harvesting server should upgrade to 8.0-20230110 or a later release. A mitigation is that the remote harvesting server should have the remote address valve configured to only allow the MM server to connect. Credit: Ryan Wincey of Securifera, Stephen Yackey of Securifera, and Christian Weiler	8.0-20230110	04/21/2023	Read more

Advisory ID

Severity

Current Description

Patch

Updated

Link

CVE-2023-26264

🟧 Medium

All versions before 8.0-20220907 are potentially vulnerable to XML External Entity (XXE) attacks in the license parsing code. Users of Talend Data Catalog should upgrade to 8.0-20220907 or a later release.

8.0-20220907

04/21/2023

CVE-2023-26263

🟧 Medium

All versions before 8.0-20230110 are potentially vulnerable to XML External Entity (XXE) attacks in the /MIMBWebServices/license endpoint of the remote harvesting server. Users of Talend Data Catalog who are using the remote harvesting server should upgrade to 8.0-20230110 or a later release.

A mitigation is that the remote harvesting server should have the remote address valve configured to only allow the MM server to connect.
Credit: Ryan Wincey of Securifera, Stephen Yackey of Securifera, and Christian Weiler

8.0-20230110

04/21/2023

Publication date: February 01, 2023

CVE-2022-45588 and CVE-2022-45589

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2022-45588	🟥 High	All versions before R2022-09 of Talend's Remote Engine Gen 2 are potentially vulnerable to XML External Entity (XXE) type of attacks. Users should download the R2022-09 release or later and use it in place of the previous version. Talend Remote Engine Gen 1 and Talend Cloud Engine for Design are not impacted. Talend Analysis: This XXE vulnerability could only be exploited by someone with the appropriate rights to edit pipelines on the Talend platform. It could not be triggered remotely or by other user input.	R2022-09	04/04/2023	Read more
CVE-2022-45589	🟥 High	All versions before 8.0.1-R2022-10-RT and 7.3.1-R2022-09-RT of the Talend ESB Runtime are potentially vulnerable to SQL Injection attacks in the provisioning service only. Users of the provisioning service should upgrade to either 8.0.1-R2022-10-RT or 7.3.1-R2022-09-RT or a later release and use it in place of the previous version. Other Talend ESB Runtime services are not impacted by this vulnerability. Talend Analysis: The impact is limited as it requires administrative privileges to exploit.	8.0.1-R2022-10-RT 7.3.1-R2022-09-RT	04/04/2023	Read more

Publication date: December 22, 2022

Okta code repository breach disclosure

Talend security team is aware of the recent Okta code repository breach disclosure. Per Okta statement here, Talend system has not been impacted and Talend security team continue to monitor the situation.

Okta statement : "There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers."

Publication date: October 28, 2022

CVE-2022-3602 and CVE-2022-3786 Vulnerabilities in OpenSSL 3.0.x

Talend is aware of and monitoring the pre-announced OpenSSL 3.x (CVE-2022-3602 and CVE-2022-3786) security vulnerability.

Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing fixes and remediations to address the vulnerability.

Update: November 1, 2022

To the best of our knowledge and the information currently available, Talend products are not impacted by ** CVE-2022-3602 and CVE-2022-3786 ** security vulnerabilities present in OpenSSL 3.0.x

While not directly exposed to vulnerable version of OpenSSL, we have proactively implemented preventative mitigations and continuous monitoring in Talend Cloud as an added precaution.

Publication date: October 20, 2022

Apache Commons Text variable interpolation (CVE-2022-42889)

Talend is aware of and monitoring CVE-2022-42889 (Apache Commons Text aka Text4Shell) security vulnerability.
Mitigations for the vulnerability were implemented in Talend Cloud on October 20, 2022 with no observed impact as a result of the vulnerability prior to implementing the mitigations.
Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing the code fix to address the impacted Products.

Update: October 24, 2022

The Apache Commons Text vulnerability CVE-2022-42889 only applies when the StringSubstitutor API is used with untrusted input. At Talend, we do not use the StringSubstitutor API directly in any of our on-prem products with untrusted input. We have not found any instance of a third-party dependency that we include with our products that uses StringSubstitutor in an insecure way. However, to fully remediate the issue we will be updating the Commons Text version for all our of impacted products.

The Apache Security team have released a statement to clarify the impact of CVE-2022-42889: https://blogs.apache.org/security/entry/cve-2022-42889

"This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation."

Publication date: May 26, 2022

CVE-2022-31648

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2022-31648	🟧 Medium	Talend Administration Center is vulnerable to a reflected Cross-Site Scripting (XSS) issue in the SSO login endpoint. The issue is fixed for versions 8.0.x in TPS-5233, for versions 7.3.x in TPS-5324, and for versions 7.2.x in TPS-5235. Earlier versions of Talend Administration Center may also be impacted; and users are encouraged to update to a supported version.	TPS-5233 TPS-5234 TPS-5235	05/26/2022	Read more

Publication date: May 3, 2022

CVE-2022-29942 and CVE-2022-29943

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2022-29942	🟧 Medium	Talend Administration Center has a vulnerability that allows an authenticated user to use the Service Registry 'Add' functionality to perform SSRF HTTP GET requests on URLs in the internal network. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.	TPS-5189 TPS-5175 TPS-5201	05/03/2022	Read more
CVE-2022-29943	🟧 Medium	Talend Administration Center has a vulnerability that allows an authenticated user to use XML External Entity (XXE) processing to achieve read access as root on the remote filesystem. The issue is fixed for versions 8.0.x in TPS-5189, versions 7.3.x in TPS-5175, and versions 7.2.x in TPS-5201. Earlier versions of Talend Administration Center may also be impacted; users are encouraged to update to a supported version.	TPS-5189 TPS-5175 TPS-5201	05/03/2022	Read more

Publication date: April 5, 2022

Spring4Shell (CVE 2022-22965; CVE-2022-22963)

Talend is aware of and monitoring CVE 2022-22965 and CVE-2022-22963 security vulnerabilities for whether they affect any of our Talend products.

We have been working diligently on addressing the situation throughout our Product portfolio and are in process of developing the code fix to address the impacted Products.

For updates on our investigation and what you can do to assist remediation or mitigation of the vulnerability, please periodically visit the documentation page located at https://help.talend.com/r/en-US/Spring4Shell-Disclosure-CVE-2022-22965

As of April 1, 2022, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs.

Publication date: February 10, 2022

CVE-2021-40684 and CVE-2021-42837

Advisory ID	Severity	Current Description	Patch	Updated	Link
CVE-2021-40684	🟥 Critical	Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container.	7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09	10/05/2021	read more
CVE-2021-42837	🟥 Critical	An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed.	7.3-20210930	11/08/2021	read more

Advisory ID

Severity

Current Description

Patch

Updated

Link

CVE-2021-40684

🟥 Critical

Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container.

7.3.1-R2021-09,

7.2.1-R2021-09,

7.1.1-R2021-09

10/05/2021

CVE-2021-42837

🟥 Critical

An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed.

7.3-20210930

11/08/2021

Publication date: January 18, 2022

Log4j2 Issue (CVE-2021-44228)

CVE-2021-44228 and CVE-2021-45046

Talend is aware of the recently disclosed vulnerabilities related to the open-source Apache Software Foundation “Log4j2" utility (reported under CVE-2021-44228 and CVE-2021-45046 as critical severity level). Talend has patched all relevant Products to remedy these vulnerabilities.

Here, you can find additional Product specific information regarding remediation efforts. Certain Talend Products may require configuration changes, which will be shared as they become available. Until deployment of Log4j v2.16, please follow the steps below.

CVE-2021-45105 and CVE-2021-44832

Talend is aware of the recently disclosed medium severity vulnerabilities reported under CVE-2021-45105 and CVE-2021-44832 related to the open-source Apache Software Foundation “Log4j2" utility.

CVE-2021-45105 is only applicable when the logging configuration uses a non-default Pattern Layout with a Context Lookup. By default, Talend Products do not use Context Lookups, meaning the vulnerability is only applicable if the Customer manually changed the logging configuration. For Customers that manually changed the logging configuration, the CVE-2021-45105 vulnerability is addressed in Log4J 2.17.0. For Remote Engine Gen1, CVE-2021-45105, Talend addressed the CVE-2021-45105 vulnerability by updating to Log4J 2.17.0 in version 2.11.7.

CVE-2021-44832 is only applicable when the logging configuration uses a JDBC appender with a JNDI data source, or the log4j configuration is modified by an attacker. Talend products do not use a JDBC appended by default for logging. The CVE-2021-44832 vulnerability is addressed in Log4J 2.17.1.

Both medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.

References

Apache Log4j2 CVE-2021-44228
Apache Log4j2 CVE-2021-45046
Apache Log4j Security Vulnerabilities

Changelog

2022.01.18
- TDC On-Prem section update

2022.01.07
- EOL versions evaluation sentence updated

2022.01.06
- “References” Section updated

2022.01.04
- “Summary” Table updated:

ESB Runtime 7.1.1 Patch information updated
Remote Engine Gen1 (Marketplace) patch information updated
Talend Cloud Application updated

2021.12.28
- “Summary” Table updated:

ESB Runtime 7.3.1 Patch information updated
LogServer 7.1.1 Patch information updated

2021.12.27
- “Summary” Table updated:

Talend Studio 7.2.1 and 7.1.1 Patch information updated
IAM 7.1.1 Patch information updated

2021.12.24
- “Summary” Table updated:

ESB Runtime 7.2.1 Patch information updated
Remote Engine Gen1 Patch information updated
Remote Engine Gen1 (Marketplace) Patch information updated
Talend Data Catalog Patch information updated

2021.12.23
- “Summary” Table updated:

ESB Runtime 7.3.1 Patch information updated: Pending Date
ESB Runtime 8.0.1 Patch information updated
Remote Engine Gen 1 Patch information updated: Pending Date
Talend Data Catalog Patch information updated: Pending Date

2021.12.22
- “Summary” Table updated:

Studio 7.3.1 Patch information updated

2021.12.21
- “Summary” Table updated with:

available patch information
Studio Mitigation information update

2021.12.20
- “Summary” Table updated:

ESB Runtime 7.1.1 Mitigation and Patch information added
IAM 7.1.1 Mitigation and Patch information added
LogServer 7.1.1 Mitigation and Patch information added
JobServer 7.1.1 Mitigation and Patch information added
MDM 7.1.1 Mitigation and Patch information added
Talend Administration Center (TAC) Mitigation and Patch information added
Talend Data Preparation 7.1.1 Mitigation and Patch information added
Talend Data Stewardship 7.1.1 Mitigation and Patch information added
Talend Studio On-prem 7.1.1 Mitigation and Patch information added

- Section “Mitigation steps for TAC” updated
- Section “Mitigation steps for ESB Runtime” updated with pre-requisite instructions for 7.2.1 and 7.1.1
- Section “Mitigation steps for Remote Engine Gen1” updated with optional step if “impersonate job” feature used

2021.12.17
- “Summary” Table updated:

Talend Data Preparation Mitigation and Patch information added
Talend Data Stewardship Mitigation and Patch information added
Talend Remote Engine Gen1 (Marketplace) Mitigation and Patch information added
Talend Studio Cloud Mitigation information updated
Talend Studio on-prem Mitigation and Patch 7.2 information updated

- Section “Mitigation steps for IAM” - startup script updated
- Section “Mitigation steps for MDM” - startup script updated
- Section “Mitigation steps for TAC” - startup script updated

2021.12.16
- “Summary” Table updated:

ESB Runtime patch information updated
Jobserver Mitigation and Patch information updated
MDM Mitigation updated
Remote Engine Gen1 Patch information updated
Talend Data Catalog Mitigation and Patch updated
Talend Studio Mitigation and Patch information updated

- Section “Mitigaton steps for ESB Runtime” updated with new parameter JAVA_TOOL_OPTIONS
- Section “Mitigaton steps for JobServer” updated with specific instructions per version
- Section “Mitigation steps for MDM” added
- Section “Mitigation steps for Remote Engine Gen1” updated with new parameter JAVA_TOOL_OPTIONS

2021.12.15
- Original version

Summary

Product	Cloud / On-Prem	Version	Mitigation	Patch
ESB Runtime	Both	8.0	Add "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument and restart runtime. Additional details below in section « Mitigation steps for ESB Runtime »	TPS-5064-RT (23-DEC-2021)
		7.3	Add "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument and restart runtime Additional details below in section « Mitigation steps for ESB Runtime »	TPS-5061-RT (28-DEC-2021)
		7.2	Additional details below in section « Mitigation steps for ESB Runtime »	TPS-5060-RT (23-DEC-2021)
		7.1.1 (EOL)	Impacted	TPS-5069 (23-DEC-2021)
IAM	On-Prem	8.0	Add "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument and restart IAM. Additional details below in section « Mitigation steps for IAM »	TPS-5054 (17-DEC-2021)
		7.3	Add "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument and restart IAM. Additional details below in section « Mitigation steps for IAM »	TPS-5055 (17-DEC-2021)
		7.2	Add "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument and restart IAM. Additional details below in section « Mitigation steps for IAM »	TPS-5056 (17-DEC-2021)
		7.1.1 (EOL)	Impacted	TPS-5071 (27-DEC-2021)
JobServer	On-Prem	8.0	Set environment variable JAVA_TOOL_OPTIONS=-Dlog4j2.formatMsgNoLookups=true in JobServer start script and restart JobServer. Additional details below in section « Mitigation steps for JobServer »	TPS-5039 (17-DEC-2021)
		7.3	Set environment variable JAVA_TOOL_OPTIONS=-Dlog4j2.formatMsgNoLookups=true in JobServer start script and restart JobServer. Additional details below in section « Mitigation steps for JobServer »	TPS-5040 (16-DEC-2021)
		7.2	Set environment variable JAVA_TOOL_OPTIONS=-Dlog4j2.formatMsgNoLookups=true in JobServer start script and restart JobServer. Additional details below in section « Mitigation steps for JobServer »	TPS-5043 (17-DEC-2021)
		7.1.1 (EOL)	No Impact	No Impact
LogServer	On-Prem	8.0	see: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476	TPS-5057 (17-DEC-2021)
		7.3	see: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476	TPS-5058 (17-DEC-2021)
		7.2	see: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476	TPS-5059 (17-DEC-2021)
		7.1.1 (EOL)	Impacted	TPS-5072 (24-DEC-2021)
MDM	On-Prem	8.0	For MDM, the issue can be mitigated by specifying "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when starting Tomcat. For running jobs in MDM, the issue can be mitigated by modifying every logging pattern layout " %m" by " %m{nolookups}" in log4j-jobox.xml. See additional details in « Mitigation steps for MDM»	TPS-5052 (24-DEC-2021)
		7.3	For MDM, the issue can be mitigated by specifying "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when starting Tomcat. For running jobs in MDM, the issue can be mitigated by modifying every logging pattern layout " %m" by " %m{nolookups}" in log4j-jobox.xml. See additional details in « Mitigation steps for MDM »	TPS-5019 (21-DEC-2021)
		7.2	No Impact	No Impact
		7.1.1 (EOL)	No Impact	No Impact
Remote Engine Gen1	Both	All	Additional details below in section « Mitigation steps for Remote Engine Gen 1»	RE 2.11.7 (24-DEC-2021)
Remote Engine Gen1 (Marketplace)	Both	All	Additional details below in section « Mitigation steps for Remote Engine Gen 1»	RE 2.11.7 (31-DEC-2021)
Remote Engine Gen2	Both	All	If your Remote Engine Gen 2 is R2021-12, you need to restart each Remote Engine to automatically get the fix. If you are on lower version than R2021-12, you need to upgrade and restart to get the fix.	R2021-12
Stitch Data Loader	Cloud	All	No Impact	No Impact
Talend Administration Center (TAC)	On-Prem	8.0	set "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when starting Tomcat. See additional details in « Mitigation steps for TAC»	TPS-5053 (21-DEC-2021)
		7.3	set "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when starting Tomcat. See additional details in « Mitigation steps for TAC»	TPS-5025 (17-DEC-2021)
		7.2	No Impact	No Impact
		7.1.1 (EOL)	No Impact	No Impact
Talend Cloud Applications	Cloud	All	N/A	Fixed
Talend Data Catalog	Cloud	All	No Impact	No Impact
Talend Data Catalog	On-Prem	All	Update your environment to the latest TDC version which includes Apache Log4j v2.17, by upgrading to TDC-7.3-20220105 or higher.	TDC-7.3-20220105 (05-JAN-2022)
Talend Data Preparation	Both	8.0	No Impact	No Impact
		7.3.1	No Impact	No Impact
		7.2.1	No Impact	No Impact
		7.1.1 (EOL)	No Impact	No Impact
Talend Data Stewardship	Both	8.0	No Impact	No Impact
		7.3.1	No Impact	No Impact
		7.2.1	No Impact	No Impact
		7.1.1 (EOL)	No Impact	No Impact
Talend Studio	Cloud	8.0	For running jobs in the Studio, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job. Additional details below in section « Mitigation steps for Talend Studio»	R2021-12_v1 (23-DEC-2021)
		7.3	For running jobs in the Studio, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job. Additional details below in section « Mitigation steps for Talend Studio»	R2021-12_v2 (21-DEC-2021)
		7.2	For running jobs in the Studio, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job. Additional details below in section « Mitigation steps for Talend Studio»	TPS-5062 (27-DEC-2021)
	On-Prem	8.0	For running jobs in the Studio, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job. Additional details below in section « Mitigation steps for Talend Studio»	R2021-12_v1 (23-DEC-2021)
		7.3	For running jobs in the Studio, the issue can be mitigated by specifying: "-Dlog4j2.formatMsgNoLookups=true" as a JVM argument when running the job. Additional details below in section « Mitigation steps for Talend Studio»	R2021-12_v2 (21-DEC-2021)
		7.2	No impact on job execution Studio - Impact with license for Data Quality (Data Profiler using ElasticSearch)	TPS-5062 (27-DEC-2021)
		7.1.1 (EOL)	No impact on job execution Studio - Impact with license for Data Quality (Data Profiler using ElasticSearch)	TPS-5065 (27-DEC-2021)

Remediation for Talend Open Source is not in scope. End-of-Life versions evaluations have been completed. For further details, please contact Talend Support.