R2023-12-RT (monthly release cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT |
Release Date | 2023-12-01 |
Target Version | 20221005_0949-7.3.1.R2022-09-RT |
Product affected | Talend ESB Runtime |
Introduction
This patch is cumulative. It includes the previous generally available patches from Talend ESB Runtime 7.3.1.R2022-09-RT.
NOTE: To download this patch, liaise with your Support contact at Talend.
Prerequisites
Consider the following requirements for your system:
Talend ESB Runtime 7.3.1.R2022-09-RT must be installed.
Depending on the product,
{container}
isTalend-ESB-V7.3.1.R2022-09-RT/container/
orTalend-Runtime-V7.3.1.R2022-09-RT/
-
Before applying the patch, and if old TDM patches have been installed (ie:
org.talend.transform.runtime.distrib-X.Y.Z_yyyyMMdd_HHmm.zip
), please check the repository files are actually available on system, using this command:karaf@trun()> feature:version-list talend-data-mapper | grep file Version | Repository | Repository URL --------------------+------------+--------------------------------------------------------------------------------------------------------- 7.3.1.R2022-09-RT.20200413_0622 | | file:/opt/TALEND/org.talend.transform.runtime.distrib-7.3.1.R2022-09-RT_20200413_0651/features.talend-esb.xml 7.3.1.R2022-09-RT.20200528_1359 | | file:/opt/TALEND/org.talend.transform.runtime.distrib-7.3.1.R2022-09-RT_20200528_1415/features.talend-esb.xml
Here for instance, check these files are available:
/opt/TALEND/org.talend.transform.runtime.distrib-7.3.1.R2022-09-RT_20200413_0651/features.talend-esb.xml
/opt/TALEND/org.talend.transform.runtime.distrib-7.3.1.R2022-09-RT_20200528_1415/features.talend-esb.xml
If not, make sure to re-extract the old TDM patches to make these files available at the above locations After successful execution of the current patch, these files can be removed
Before applying the patch, and if TAC is used, latest TAC patch should be installed
-
Before applying the patch, please change the following properties in file
{container}/etc/org.apache.karaf.jaas.cfg
encryption.enabled = true encryption.name = basic (or jasypt)
For all inserted properties:
- if property already present (commented or uncommented), won't insert
- if property not already present, will backup related file in dir
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/backup/
and insert property
For all updated properties:
- if property commented or not already present, won't update
- if property already present, will backup related file in dir
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/backup/
and update property
If any change required, update value after patch execution.
-
Patch will insert these properties in
{container}/etc/org.talend.remote.jobserver.server.cfg
:# Set password of server side ssl key (command and file server) - optional org.talend.remote.server.ssl.keyPassword=<jobserver_key_password> # Set password of server side ssl key (monitoring server) - optional org.talend.jmxmp.ssl.keyPassword=<monitoring_server_key_password> # Set this to true to disable hostname verification for the TACClient - optional #org.talend.remote.jobserver.commons.config.JobServerConfiguration.TLS_DISABLE_CN_CHECK=true # Max size in bytes that an unzipped archive is allowed to be. The default is 1G. org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_UNZIPPED_SIZE=1073741824 # Max number of entries allowed in a zipped archive org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ZIPPED_ENTRIES=2048 # Maximum length of zip file names: org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ZIP_NAME_LENGTH=240 # Restrict the length of any folder name in paths inside the zip file: org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_UNZIPPED_FOLDER_NAME_LENGTH=240 # Restrict the length of any file name inside the zip file: org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_UNZIPPED_FILE_NAME_LENGTH=240 # Restrict the nesting levels of folders inside the zip file: org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ZIP_DEPTH=64 # Enable the Monitoring port or not. true by default org.talend.remote.jobserver.server.TalendJobServer.ENABLE_MONITORING_PORT=true # Set to true to enable authorization for all job file deployments ( Requires additional configuration for TAC and Studio. ) org.talend.remote.jobserver.commons.config.JobServerConfiguration.FILESERVER_AUTHORIZATION=false # Maximum number of file listeners, 0 = No limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_FILE_LISTENERS=6000 # Maximum number of library dependencies embedded in a job org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_NB=1000 # Maximum size of all library dependency names for a job org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_SIZE=100KB # Maximum number of deployed jobs, 0 = No Limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_NB=6000 # Max size that a job archive is allowed to be. The default is 1G, 0 = No limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_FILE_SIZE=1G # Maximum size of TalendJobServersFiles/archiveJobs folder, 0 = No limit, 0 = No Limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE=100G # Activate job archive signature, 1 or more values separated by comma (','). # Possible values are: # - 'ON_DEPLOY' (legacy & default if no correct value provided) # - 'ON_UPLOAD' (advised) org.talend.remote.jobserver.commons.config.JobServerConfiguration.JOB_ARCHIVE_SIGNATURE_CHECK=ON_DEPLOY
-
TPS-4318: JobServer memory leak related to ZeroMQ mailbox (TPSVC-12728) requires configuration in
{container}/etc/org.talend.remote.jobserver.server.cfg
:org.talend.remote.jobserver.server.TalendJobServer.ENABLED_PROCESS_MESSAGE=false
-
TPRUN-1846: feature
tesb-jmx-http-agent
based on jolokia has been removed due to security reasons. If jolokia is still needed, please manually use secured jolokia feature:feature:install jolokia
Authorized users are declared in
{container}/etc/users.properties
-
TPRUN-3009: default configuration in
{container}/etc/org.talend.esb.auxiliary.storage.service.cfg
for keysecurity.signature.properties
is:security.signature.properties = file:${tesb.home}/etc/keystores/serviceKeystore.properties
if custom changes have been made, ensure the value references an absolute path.
For instance, if expected keystore is{container}/etc/customKeystore.properties
, this previous declaration:security.signature.properties = customKeystore.properties
should be updated to:
security.signature.properties = file:${tesb.home}/etc/keystores/customKeystore.properties
The patch replaces the files
{container}/bin/trun
,{container}/bin/trun.bat
,{container}/bin/setmem
,{container}/bin/setmem.bat
, and{container}/bin/inc
. If you have made previous changes to one of these files, you should move them to the file{container}/bin/setenv
respectively{container}/bin/setenv.bat
. These files are meant for customizations and will not be replaced during patch application.
Installation
Container
- Start Runtime Container
- Extract & replace the content of ZIP directory
container
into{container}
directory
Structure after extract & replace should be :
{container}
├───bin : existing dir
├───deploy : existing dir
├───etc : existing dir
├───...
├───patches : dir from current or previous patch
│ └───Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT
│ patch.bat
│ patch.commands
│ patch.sh
│ logs : directory for logs installation
├───system : existing dir
│ ├───... : existing dir
├───...
-
Ensure username/password are right in
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/patch.bat
or{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/patch.sh
... -u {username} -p {password} -f patch.commands ...
Execute
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/patch.bat
or{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/patch.sh
-
Ensure directory
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/logs
contains new log files :xxx-installation.log
: patch installation logxxx-init.log
: state before patch installation-
xxx-installed.log
: state after patch installation
Runtime patches may contain Java keystore updates. In this case, the previous keystores are preserved in the following places:Please note that Routes using cMap (TDM feature) are not automatically restarted by the patch procedure. You will need to restart the Runtime Container for changes to take effect.
- Keystores from
etc/keystores
are backed up in directory{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/backup/etc/keystores/
. - Example keystores are backed up in the directory where they are found with the suffix
-backup-TIMESTAMP
.
Notes
Bundle resolution errors
The updates are performed in three iterations. During the first and second iteration bundle resolution errors are showing up on the console and in the logs. This is expected, and these errors are resolved in the third iteration. The total patch process takes several minutes, but should not exceed 15 minutes depending on the number of feature installed and the hardware.
Enhancement of the SAP connector add-on
The configuration of the "talend-sapjco3-connector" in version 5.5.1 allows to define additional SAP endpoints adding prefixed properties. Here is a sample for an endpoint named "PEERCONNECTIONPOOL":
jco.client.ashost = myfirsthost.example.org
jco.client.sysnr = 00
jco.client.client = 800
jco.client.user = DEVUSRA
jco.client.passwd = ***
jco.client.lang = EN
jco.destination.peak_limit = 10
jco.destination.pool_capacity = 3
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.ashost = mysecondhost.example.org
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.sysnr = 00
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.client = 100
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.user = DEVUSRB
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.passwd = ***
endpoint.SAP_PEER_CONNECTION_POOL.jco.client.lang = EN
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.peak_limit = 10
endpoint.SAP_PEER_CONNECTION_POOL.jco.destination.pool_capacity = 3
Default AlgorithmSuite from Basic128Sha256 to Basic256Sha256 (TPRUN-2631)
All AlgorithmSuites of policies with SAML, are updated from Basic128Sha256 to Basic256Sha256 for these features:
talend-job-controller
tesb-locator-soap-service
tesb-sam-service-soap
Configuration can be checked on these files, having value set to SAML
:
Configuration file | Configuration key/value with SAML | Impacted endpoint |
---|---|---|
etc/org.talend.esb.locator.service.cfg | locator.authentication = SAML | http://localhost:8040/services/ServiceLocatorService |
etc/org.talend.esb.sam.service.soap.cfg | sam.service.soap.authentication = SAML | http://localhost:8040/services/MonitoringServiceSOAP |
If services are configured to use SAML:
- you need to ensure external clients (executing out of container) use an updated policy when reaching these endpoints
- you need to manually redeploy artifacts generated from Studio for models exposing/consuming endpoints using
Service Locator
orService Activity Monitoring
Default Algorithm for password encryption/decryption (TPRUN-2601)
Algorithm encryption for all ENC(xxx)
passwords is upgraded by default to PBEWITHSHA256AND256BITAES-CBC-BC
.
All passwords declared as ENC(xxx)
in configuration files or Talend Administration Center must be regenerated through these commands in Runtime console (please ensure environment variable TESB_ENV_PASSWORD
is set):
karaf@trun()> feature:install tesb-encryptor-command
karaf@trun()> tesb:encrypt-text {textToEncrypt}
Algorithm can be configured by setting environment variable TESB_ENV_ALGORITHM
.
If old ENC(xxx)
values are still needed, update the algorithm to previous one by setting environment variable TESB_ENV_ALGORITHM
to PBEWITHSHA256AND128BITAES-CBC-BC
and restart Runtime.
Runtime is failing to startup in some Linux distribution (TPRUN-5790)
To fix this issue, please follow the suggested method below:
- Stop the Runtime and make sure that there are no running associated processes
- Execute
{container}/patches/Patch_20231201_R2023-12_v1-RT-7.3.1.R2022-09-RT/startup-fix.sh
- Start the Runtime
R2023-12
Issues fixed in 2023-12
TPRUN
- TPRUN-7015: Security dependency updates for Talend ESB runtime 7.3.1.R2023-12
- TPRUN-6957: CVE-2023-46604 Update activemq in Talend ESB runtime to 5.15.16
TDM
CVE fixed in 2023-12
- CVE-2023-46120: com.rabbitmq:amqp-client 5.5.1 -> 5.18.0 (TPRUN-7015)
- CVE-2023-44483: xmlsec 2.1.7/2.2.3 -> 2.2.6 (TPRUN-7015)
- CVE-2023-46604: activemq 5.15.15 -> 5.15.16 (TPRUN-6957)
R2023-11
Issues fixed in 2023-11
TPRUN
- TPRUN-6915: [7.3.1] CVE Http2 update to Jetty 9.4.53.v20231009
TDM
- TDM-10480 Update Saxon PE license
CVE fixed in 2023-11
- CVE-2023-36478: jetty 9.4.51.v20230217 -> 9.4.53.v20231009 (TPRUN-6915)
- CVE-2023-36478: netty 4.1.86.Final -> 4.1.100.Final (TPRUN-6915)
- CVE-2023-43642: snappy-java 1.1.10.3 -> 1.1.10.4 (TPRUN-6915)
- CVE-2023-5072: json 20230227 -> 20231013 (TPRUN-6915)
R2023-10
Issues fixed in 2023-10
TPRUN
- TPRUN-6546: tesb-provisioning-agent feature is not patched
CVE fixed in 2023-10
- CVE-2022-45688: Json:20090211 (TPRUN-5904)
R2023-09
Issues fixed in 2023-09
TPRUN
- TPRUN-3553: Investigate message logging in case it is logging the authorization header
- TPRUN-6499: Fix remaining CVE warnings in TESB 7.3.1.
- TPRUN-6487: Findings in: snappy-java:1.1.2
- TPRUN-6502: batik-transcoder:1.16 | CVE-2022-44729
- TPRUN-6503: batik-script:1.16 | CVE-2022-44730
- TPRUN-6504: batik-bridge:1.16 | CVE-2022-44729
CVE fixed in 2023-09
- CVE-2023-34454,CVE-2023-34455: Findings in: snappy-java:1.1.2 (TPRUN-6487)
- CVE-2022-44729: batik-transcoder:1.16 (TPRUN-6502)
- CVE-2022-44730: batik-script:1.16 (TPRUN-6503)
- CVE-2022-44729: batik-bridge:1.16 (TPRUN-6504)
R2023-08
Issues fixed in 2023-08
TPRUN
- TPRUN-6239: ESB Integrate latest jobServer 7.3.1.202307120928patch
- TPRUN-6259: bcprov-jdk15on:1.69 | CVE-2023-33201
- TPRUN-6408: spring-security-config:5.6.9 | CVE-2023-34034
JobServer
- TPRUN-6209: [7.3.1, 8.0.1] NoClassDefFoundError: org/apache/commons/io/IOUtils when running a job on runtime & Incorrect jna dependency version
CVE fixed in 2023-08
- CVE-2023-33201: bcprov-jdk15on:1.69 (TPRUN-6259)
- CVE-2023-34034: spring-security-config:5.6.9 (TPRUN-6408)
R2023-07
Issues fixed in 2023-07
TPRUN
- TPRUN-6139 json-smart:2.4.7 | CVE-2023-1370
- TPRUN-6050 guava:30.1.1-jre | CVE-2020-8908
CVE fixed in 2023-07
- CVE-2023-1370: json-smart:2.4.7 (TPRUN-6139)
- CVE-2020-8908: guava:30.1.1-jre (TPRUN-6050)
R2023-06
Issues fixed in 2023-06
TPRUN
- TPRUN-5850 Findings in: jetty-http:9.4.49.v20220914
- TPRUN-5904 [7.3] Json:20090211 | CVE-2022-45688
- TPRUN-5790 [7.3.1] not able to start runtime RT2022-09 7.3.1 on linux ubuntu
- TPRUN-5845 Findings in: spring-expression:5.3.21
- TPRUN-5931 CVE-2022-40664/CVE-2022-32532 Apache Shiro update to 1.11.0.
CVE fixed in 2023-06
- CVE-2023-26049,CVE-2023-26048: Findings in: jetty-http:9.4.49.v20220914 (TPRUN-5850)
- CVE-2023-20863,CVE-2023-20861: Findings in: spring-expression:5.3.21 (TPRUN-5845)
- CVE-2022-40664,CVE-2022-32532: Apache Shiro update to 1.11.0 (TPRUN-5931)
R2023-05
Issues fixed in 2023-05
TPRUN
- TPRUN-5669 CVE-2023-20861 spring-expression:5.3.21
- TPRUN-5531 CVE-2022-40152 Update of woodstox-core to 5.4.0/6.4.0
- TPRUN-5630 CVE-2023-1370 Update json-smart to 2.4.9
- TPRUN-5629 CVE-2023-1430 Update jettison to 1.5.4
- TPRUN-5606 CVE-2021-37533 Update of commons-net to 3.9.0
- TPRUN-5600 CVE-2022-41966 Update of XStream to 1.4.20
- TPRUN-5492 Integrate jobserver 7.3.1.202303081111patch
JobServer
- TPRUN-4804 JobServer - Remove deprecated launch from shell script option
- TPRUN-4842 Check Archive Signature - set default behaviour to ON_UPLOAD and update documentation
- TPRUN-5363 synchronized method in copy() cause all deployment to be queued in "SENDING SCRIPT" in tac
- TPRUN-5249 Job execution failures with long classpaths and impersonation
- TPRUN-5106 JobServer client: provide a way to distinguish between recoverable and unrecoverable failures on JobServer side
CVE fixed in 2023-05
- CVE-2023-20861: spring-expression:5.3.21 (TPRUN-5669)
- CVE-2022-40152: Update of woodstox-core to 5.4.0/6.4.0 (TPRUN-5531)
- CVE-2023-1370: Update json-smart to 2.4.9 (TPRUN-5630)
- CVE-2023-1430: Update jettison to 1.5.4 (TPRUN-5629)
- CVE-2021-37533 Update of commons-net to 3.9.0 (TPRUN-5606)
- CVE-2022-41966 Update of XStream to 1.4.20 (TPRUN-5600)
R2023-03
Issues fixed in 2023-03
TPRUN
- TPRUN-5393: CVE-2022-4065 - remove testng dependency from groovy
- TPRUN-4976: [7.3.1] Update release notes with gen1/runtime common update reco
- TPRUN-4776: fix GracePeriod for route with groovy
- TPRUN-5024: camel-ruby removal
- TPRUN-5397: include migration script in patch
CVE fixed in 2023-03
- CVE-2022-4065 remove testng dependency from groovy (TPRUN-5393)
R2023-01
Issues fixed in 2023-01
TPRUN
- TPRUN-4027: [7.3.1] Exception when executing route with groovy
- TPRUN-5020: CVE-2022-40145 - backport security fix to TESB customized Karaf
- TPRUN-5023: CVE-2022-46364 - update CXF to 3.4.10
- TPRUN-5025: [7.3] Update ehcache to version 3 in tesb-authorization
- TPRUN-4871: [CVE-2022-31692] Spring-security update to 2.6.9.
Job Server
- TPRUN-3405: The FileListener does not jail the path to the jobserver deploy directory.
- TPRUN-1296: Backport 'Prevent path manipulation attack in the FileServer' to 7.3.
- TPRUN-3450: JobServer should not weaken TLS in the TACClient (backport to 7.3)
- TPRUN-3451: CommandServer Denial of Service vulnerability (backport to 7.3)
- TPRUN-3508: AuthorizationKey is logged
- TPRUN-3697: JobServer should close stream of temporary context.
- TPRUN-3604: Unzipper Incorrect size limit check and created files not deleted in case of error
- TPRUN-3777: Non thread safe ClasspathJar writing
- TPRUN-3679: Modularize function required for user impersonation.
- TPS-5285: [7.3.1] Code cleanup & deprecation of 'launchFromShellScript' (TPRUN-3775)
- TPRUN-3605: Unzipper add limits for nesting and path length.
- TPRUN-3784: Update JobServer configuration/docs related to TLS version
- TPRUN-3948: Align versions of JAVA source/target, dependencies and plugins on pom(s).xml
- TPS-5359: [7.3.1] JobServer File server has no authentication. (TPRUN-3518)
- TPRUN-4022: Update patch creation process
- TPRUN-3916: Use RockyLinux as base image for JobServer docker in tests
- TPRUN-4131: Check Zip Slip and Zip Symlink vulnerabilities
- TPRUN-4126: Upgrade to OSHI 6.2.2
- TPRUN-3836: Improve error message in case Job archive checks fail
- TPRUN-3523: Add ability to disable the monitoring service
- TPRUN-1740: Simplify approach to let users install patches and (windows) services
- TPRUN-4023: Reduce merging pain between active branches due to different logging framework
- TPRUN-4267: Folder name length check not working for ZIP without folder entries
- TPRUN-4238: Attempt to publish a large job (while FileServer authentication is available?) causes a command server timeout
- TPRUN-4400: JobServer client checkServer returns wrong compatibility info
- TPRUN-4255: Do not log warnings when properties are not set but default value exists
- TPRUN-4355: Ensure Copyright is up-to-date for JAVA classes with UnitTesting
- TPRUN-4269: After Unzipper Exception partially unzipped file remain
- TPRUN-3519: Add constraints on jobs to prevent DoS attacks
- TPS-5372: [7.3.1] Adding File path traversal guard (TPRUN-4050)
- TPRUN-4515: Delete deployedJobPath directory before re-deploying
- TPRUN-4486: JobServer - Cleanings
- TPRUN-4447: JobServer start_jconsole.bat script has wrong classpath
- TPRUN-4761: Issue with FileEventsPacket
- TPRUN-4048: Review Merge compulsory requirements
- TPRUN-4005: Reading issue due to improper locking of job resuming log
- TPRUN-3520: Check job archive signature
- TPRUN-4753: Job archives that do not have a signature can be executed
- TPS-5388: [7.3.1] Reading issue due to improper locking of job resuming log ( TPRUN-4005 )
- TPRUN-4523: Update osgi.cmpn to 5.0.0+ and org.osgi.core to 6.0.0+
- TPRUN-4892: parallel send protection error with tac and virtual servers
- TPRUN-4898: JobServer checks cause problems for TAC deployments
CVE fixed in 2023-01
- CVE-2022-40145: backport security fix to TESB customized Karaf (TPRUN-5020)
- CVE-2022-46364: update CXF to 3.4.10 (TPRUN-5023)
- CVE-2022-31692: spring-security update to 2.6.9 (TPRUN-4871)
R2022-11
Issues fixed in 2022-11
TPRUN
- TPRUN-4290: CVE-2022-34169: Xalan 2.7.2 is removed
- TPRUN-4514: CVE-2022-42003,CVE-2022-42004, jackson-databind-2.13.2.2.jar
- TPRUN-4561: CVE-2022-42889, org.apache.commons:commons-text:[1.4-1.9]
- TPRUN-4414: CVE-2022-40149: jettison upgrade to 1.5.1
- TPRUN-4497: Fail to execute "feature:install camel-spring-redis" on Runtime
- TPRUN-4695: Make access port configurable in tesb-derby-starter
- TPRUN-4971: [7.3.1] CVE-2022-30126,org.apache.tika:tika-core:1.27 - update to tika 1.28.4
- TPRUN-4706: Integrate jobserver 7.3.1.20221206_1150_patch
- TPRUN-4972: [7.3.1] Prevent runtime patches > R2022-07 from installing on default install
CVE fixed in 2022-11
- CVE-2022-34169: Xalan 2.7.2 is removed (TPRUN-4290)
- CVE-2022-42003,CVE-2022-42004: jackson-databind-2.13.2.2.jar (TPRUN-4514)
- CVE-2022-42889: org.apache.commons:commons-text:[1.4-1.9] (TPRUN-4561)
- CVE-2022-40149: jettison upgrade to 1.5.1 (TPRUN-4414)
- CVE-2022-30126: org.apache.tika:tika-core:1.27 - update to tika 1.28.4 (TPRUN-4971)
- CVE-2022-45589 : SQL Injection attacks vulnerability (since 7.3.1-2022-09-RT) (TPRUN-4777)