Skip to main content Skip to complementary content

Log4j2 Issue (CVE-2021-44228)

Publication Date: January 24th, 2022 

Important : For more recent security updates, see the Trust Center Updates section on  Qlik Security Portal . Subscribe to the Trust Center Updates to be notified by email when a security update is published.

CVE-2021-44228 and CVE-2021-45046

Talend is aware of the recently disclosed vulnerabilities related to the open-source Apache Software Foundation “Log4j2" utility (reported under CVE-2021-44228 and CVE-2021-45046 as critical severity level). Talend has patched all relevant Products to remedy these vulnerabilities.

Here, you can find additional Product specific information regarding remediation efforts. Certain Talend Products may require configuration changes, which will be shared as they become available. Until deployment of Log4j v2.16, please follow the steps below.

CVE-2021-45105 and CVE-2021-44832

Talend is aware of the recently disclosed medium severity vulnerabilities reported under CVE-2021-45105 and CVE-2021-44832 related to the open-source Apache Software Foundation “Log4j2" utility.

CVE-2021-45105 is only applicable when the logging configuration uses a non-default Pattern Layout with a Context Lookup. By default, Talend Products do not use Context Lookups, meaning the vulnerability is only applicable if the Customer manually changed the logging configuration. For Customers that manually changed the logging configuration, the CVE-2021-45105 vulnerability is addressed in Log4J 2.17.0. For Remote Engine Gen1, CVE-2021-45105, Talend addressed the CVE-2021-45105 vulnerability by updating to Log4J 2.17.0 in version 2.11.7.

CVE-2021-44832 is only applicable when the logging configuration uses a JDBC appender with a JNDI data source, or the log4j configuration is modified by an attacker. Talend products do not use a JDBC appended by default for logging. The CVE-2021-44832 vulnerability is addressed in Log4J 2.17.1.

Both medium severities CVEs are resolved with Log4j 2.17.1., which will be released during Talend’s monthly patch within its Continuous Maintenance Development process.

If you need additional details or assistance, please contact Support on the Customer Portal: http://customerportal.qlik.com .

Apache Log4j Security Vulnerabilities Summary

CVE Number

Base 3.x CVSS Score

NVD Published Date

Fixed in

Log4j 2.15.0

Fixed in

Log4j 2.1 6 .0

Fixed in

Log4j 2.1 7 .0

Fixed in

Log4j 2.1 7 . 1

CVE-2021-44228

10.0 Critical

12/10/2021

Yes

Yes

Yes

Yes

CVE-2021-45046

9.0 Critical

12/14/2021

No

Yes

Yes

Yes

CVE-2021-45105

5.9 Medium

12/14/2021

No

No

Yes

Yes

CVE-2021-44832

6.6 Medium

12/28/2021

No

No

No

Yes

Apache Log4j Security Vulnerabilities

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here