Security incident response information


Publication date: October 28, 2022

 CVE-2022-3602 and CVE-2022-3786 Vulnerabilities in OpenSSL 3.0.x

Talend is aware of and monitoring the pre-announced OpenSSL 3.x (CVE-2022-3602 and CVE-2022-3786) security vulnerability.

Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing fixes and remediations to address the vulnerability.



Update: November 1, 2022

To the best of our knowledge and the information currently available, Talend products are not impacted by ** CVE-2022-3602 and CVE-2022-3786 ** security vulnerabilities present in OpenSSL 3.0.x

While not directly exposed to vulnerable version of OpenSSL, we have proactively implemented preventative mitigations and continuous monitoring in Talend Cloud as an added precaution.



Publication date: October 20, 2022

Apache Commons Text variable interpolation (CVE-2022-42889)

Talend is aware of and monitoring CVE-2022-42889 (Apache Commons Text aka Text4Shell) security vulnerability.
Mitigations for the vulnerability were implemented in Talend Cloud on October 20, 2022 with no observed impact as a result of the vulnerability prior to implementing the mitigations.
Talend is scoping the remediation efforts throughout its Product portfolio and is in the process of developing the code fix to address the impacted Products.



Update: October 24, 2022

The Apache Commons Text vulnerability CVE-2022-42889 only applies when the StringSubstitutor API is used with untrusted input. At Talend, we do not use the StringSubstitutor API directly in any of our on-prem products with untrusted input. We have not found any instance of a third-party dependency that we include with our products that uses StringSubstitutor in an insecure way. However, to fully remediate the issue we will be updating the Commons Text version for all our of impacted products.

The Apache Security team have released a statement to clarify the impact of CVE-2022-42889: https://blogs.apache.org/security/entry/cve-2022-42889

"This issue is different from Log4Shell (CVE-2021-44228) because in Log4Shell, string interpolation was possible from the log message body, which commonly contains untrusted input. In the Apache Common Text issue, the relevant method is explicitly intended and clearly documented to perform string interpolation, so it is much less likely that applications would inadvertently pass in untrusted input without proper validation."


Publication date: May 26, 2022

CVE-2022-31648


Publication date: May 3, 2022

CVE-2022-29942 and CVE-2022-29943


Publication date: April 5, 2022

Spring4Shell (CVE 2022-22965; CVE-2022-22963)

Talend is aware of and monitoring CVE 2022-22965 and CVE-2022-22963 security vulnerabilities for whether they affect any of our Talend products.

We have been working diligently on addressing the situation throughout our Product portfolio and are in process of developing the code fix to address the impacted Products.

For updates on our investigation and what you can do to assist remediation or mitigation of the vulnerability, please periodically visit the documentation page located at https://help.talend.com/r/RUfDtlfQvuDzJUZC4P9Z9g/7G3ZMXPTMt2klpS~SJ0vtg

As of April 1, 2022, we implemented blocking of external exploitation attempts on Talend Cloud Products for these CVEs.


Publication date: February 10, 2022

CVE-2021-40684 and CVE-2021-42837


Publication date: January 18, 2022

Log4j2 Issue (CVE-2021-44228)

CVE-2021-44228 and CVE-2021-45046

Talend is aware of the recently disclosed vulnerabilities related to the open-source Apache Software Foundation “Log4j2" utility (reported under CVE-2021-44228 and CVE-2021-45046 as critical severity level). Talend has patched all relevant Products to remedy these vulnerabilities.

Here, you can find additional Product specific information regarding remediation efforts. Certain Talend Products may require configuration changes, which will be shared as they become available. Until deployment of Log4j v2.16, please follow the steps below.

CVE-2021-45105 and CVE-2021-44832

Talend is aware of the recently disclosed medium severity vulnerabilities reported under CVE-2021-45105 and CVE-2021-44832 related to the open-source Apache Software Foundation “Log4j2" utility.

CVE-2021-45105 is only applicable when the logging configuration uses a non-default Pattern Layout with a Context Lookup. By default, Talend Products do not use Context Lookups, meaning the vulnerability is only applicable if the Customer manually changed the logging configuration. For Customers that manually changed the logging configuration, the CVE-2021-45105 vulnerability is addressed in Log4J 2.17.0. For Remote Engine Gen1, CVE-2021-45105, Talend addressed the CVE-2021-45105 vulnerability by updating to Log4J 2.17.0 in version 2.11.7.

CVE-2021-44832 is only applicable when the logging configuration uses a JDBC appender with a JNDI data source, or the log4j configuration is modified by an attacker. Talend products do not use a JDBC appended by default for logging. The CVE-2021-44832 vulnerability is addressed in Log4J 2.17.1.

Both medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

If you need additional details or assistance, please contact Talend Support on Talend Support portal (https://login.talend.com/support-login.php) or by sending an e-mail to customercare@talend.com.


References

Apache Log4j2 CVE-2021-44228 
Apache Log4j2 CVE-2021-45046
Apache Log4j Security Vulnerabilities


Changelog

2022.01.18
- TDC On-Prem section update

2022.01.07
-  EOL versions evaluation sentence updated

2022.01.06
- “References” Section updated

2022.01.04
- “Summary” Table updated:

  • ESB Runtime 7.1.1 Patch information updated
  • Remote Engine Gen1 (Marketplace) patch information updated
  • Talend Cloud Application updated

2021.12.28
- “Summary” Table updated:

  • ESB Runtime 7.3.1 Patch information updated
  • LogServer 7.1.1 Patch information updated

2021.12.27
- “Summary” Table updated:

  • Talend Studio 7.2.1 and 7.1.1 Patch information updated
  • IAM 7.1.1 Patch information updated

2021.12.24
- “Summary” Table updated:

  • ESB Runtime 7.2.1 Patch information updated
  • Remote Engine Gen1 Patch information updated
  • Remote Engine Gen1 (Marketplace) Patch information updated
  • Talend Data Catalog Patch information updated

2021.12.23
- “Summary” Table updated:

  • ESB Runtime 7.3.1 Patch information updated: Pending Date
  • ESB Runtime 8.0.1 Patch information updated
  • Remote Engine Gen 1 Patch information updated: Pending Date
  • Talend Data Catalog Patch information updated: Pending Date

2021.12.22
- “Summary” Table updated:

  • Studio 7.3.1 Patch information updated

2021.12.21
- “Summary” Table updated with:

  • available patch information
  • Studio Mitigation information update

2021.12.20
- “Summary” Table updated:

  • ESB Runtime 7.1.1 Mitigation and Patch information added
  • IAM 7.1.1 Mitigation and Patch information added
  • LogServer 7.1.1 Mitigation and Patch information added
  • JobServer 7.1.1 Mitigation and Patch information added
  • MDM 7.1.1 Mitigation and Patch information added
  • Talend Administration Center (TAC) Mitigation and Patch information added
  • Talend Data Preparation 7.1.1 Mitigation and Patch information added
  • Talend Data Stewardship 7.1.1 Mitigation and Patch information added
  • Talend Studio On-prem 7.1.1 Mitigation and Patch information added

- Section “Mitigation steps for TAC” updated
- Section “Mitigation steps for ESB Runtime” updated with pre-requisite instructions for 7.2.1 and 7.1.1
- Section “Mitigation steps for Remote Engine Gen1” updated with optional step if “impersonate job” feature used

2021.12.17
- “Summary” Table updated:

  • Talend Data Preparation Mitigation and Patch information added
  • Talend Data Stewardship Mitigation and Patch information added
  • Talend Remote Engine Gen1 (Marketplace) Mitigation and Patch information added
  • Talend Studio Cloud Mitigation information updated
  • Talend Studio on-prem Mitigation and Patch 7.2 information updated

- Section “Mitigation steps for IAM” - startup script updated
- Section “Mitigation steps for MDM” - startup script updated
- Section “Mitigation steps for TAC” - startup script updated

2021.12.16
- “Summary” Table updated:

  • ESB Runtime patch information updated
  • Jobserver Mitigation and Patch information updated
  • MDM Mitigation updated
  • Remote Engine Gen1 Patch information updated
  • Talend Data Catalog Mitigation and Patch updated
  • Talend Studio Mitigation and Patch information updated

- Section “Mitigaton steps for ESB Runtime” updated with new parameter JAVA_TOOL_OPTIONS
- Section “Mitigaton steps for JobServer” updated with specific instructions per version
- Section “Mitigation steps for MDM” added
- Section “Mitigation steps for Remote Engine Gen1” updated with new parameter JAVA_TOOL_OPTIONS

2021.12.15
- Original version

Summary

Remediation for Talend Open Source is not in scope. End-of-Life versions evaluations have been completed. For further details, please contact Talend Support.

Additional Details

To accommodate better up-to-date content, all the mitigation technical step section has been moved to the “Log4j2 Issue (CVE-2021-44228)” section of Talend Documentation site. The section is locate at <https://document-link.us.cloud.talend.com/talend_log4j2_cve_statement?lang=en&version=latest&env=prd>


Frequently Asked Questions

Does Talend employ affected versions of Log4j its software?
Yes. Certain Talend Services use Log4j2 or provide it to customers as part of their Services. Details regarding specific Talend Service versions and steps to address the issues are provided in the Security Incident Response.

Is Log4j part of any functionality a Talend customer uses when working with Talend?
Yes.

Does Talend have a patch available now or when will it be available?
Patches are specific to Talend Service, the version of the Talend Service, the severity of the risk, and other mitigating controls Talend maintains. While Talend has developed and implemented patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.

How will Talend notify its customers and how will customers receive the patch? 
We have reached out to Customers via registered support contacts with instructions to monitor the Security Incident response page. This page is updated regularly and is the best source for up-to-date information.

If Talend is hosting the customers Talend instance, is Talend using Apache Log4j on any of its systems?
Yes. Certain Talend Services use Log4j2, or provide it to customers as part of their Services.

What steps has Talend taken to mitigate the threat?
Since disclosure of the Apache Log4j2 vulnerability, Talend has taken steps to identify all the instances where Apache Log4j2 is utilized within Talend Services, developed, and implemented patches where applicable and as needed, implemented other mitigating controls, and contacted Talend vendors regarding their exposure to Apache Log4j2.

Mitigation efforts, including software patches, are specific to Talend Service, the version of the Talend Service, and the severity of the risk. While Talend has developed patches for the Apache Log4j2 vulnerability, the situation is dynamic, and updates are disclosed on a continuous basis. To stay up to date with the most relevant information, please refer to the table in the Summary section of this document.

Is Talend monitoring its systems for any indication of compromise (IOC)?
Yes.

Have any of Talend's 3rd parties been affected by this threat?
Yes. Part of what makes the Apache log4j2 vulnerability so severe, is its widespread use. Talend is in the process of communicating with critical vendors to coordinate remediation.

Will Talend publish information related to versions which have reached their end of life (e.g. 5.X, 6.X, or earlier 7.X releases)?
Yes. Currently supported products are our priority.  To determine if a version is supported or has reached its end-of-life, please refer to Talend's Product support lifecycle https://www.talend.com/technical-support/support-statements/. Please see summary table above for version-specific information.

With use of the dynamic distribution feature of Talend to connect with a cluster; is it necessary to rebuild/republish jobs to remediate the log4j vulnerability?
Yes. 

For Talend v7.3 and Talend v8.0, do I need to rebuild my Talend jobs and Routes after
installing the Studio patch?
 
Yes.