TPS-5998 (cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_20241212_TPS-5998_v1 |
Release Date | 2024-12-12 |
Target Version | 20211109_1610-V8.0.1 |
Product affected | Talend MDM Server, Talend Studio |
Introduction
This patch is cumulative. It includes all previous delivered patches for MDM 8.0.1
NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.
Fixed issues
This patch contains the following fixes:
- TPS-5052 [8.0.1] Talend MDM Log4j CVE-2021-44228/CVE-2021-45046 Security Issue (TMDM-15199)
- TMDM-15199 Talend MDM Log4j CVE-2021-44228/CVE-2021-45046 Security Issue
- TPS-5078 [8.0.1] Log4j2 CVE-2021-45105/ CVE-2021-44832(Moderate) DOS attack Fix - Version(2.17.1 update)(TMDM-15206)
- TMDM-15176 [CVE] Replace outdated commons-httpclient with Apache HttpClient in MDM
- TMDM-15181 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- TMDM-15189 [CVE] - Update Spring on MDM
- TMDM-15190 [CVE] - Update Apache CXF on MDM
- TMDM-15194 [CVE] Update Jackson version
- TMDM-15207 [DA] Clean packaging to remove undue log4j-core lib
- TMDM-15206 MDM - Log4j2 CVE-2021-45105/ CVE-2021-44832(Moderate) - Version(2.17.1 update)
- TPS-5125 [8.0.1] [CVE] - Update H2 version to 2.1.210 on MDM (TMDM-15201)
- TMDM-15217 libraries added in ZIP file deployed to MDM server and in jobox/work
- TMDM-15218 [CVE] - Update Spring dependencies on Data Authoring
- TMDM-15210 Chore: Remove remaining log4j1 from maven build
- TMDM-15220 [CVE] Upgrade xercesImpl to 2.12.2
- TMDM-15182 Improper Restriction of XML External Entity Reference
- TMDM-15221 ERROR User 'xx' is not allowed to perform following operation(s): update field ...
- TMDM-15226 Avoid security issue from SQL Injection
- TMDM-15203 [CVE] - Upgrade commons-io version to 2.7 reported in dependabot
- TMDM-15229 [CVE] - Update XStream Core to 1.4.19
- TMDM-15227 [CVE] - Hazelcast upgrade
- TMDM-15201 [CVE] - Update H2 version to 2.1.210 on MDM
- TPS-5155 [8.0.1] [CVE - 2022-22965] - Update Spring on MDM/Data Authoring (TMDM-15248)
- TMDM-15232 Upgrade Liquibase version to 3.8.9
- TMDM-15231 [CVE] commons-fileupload
- TMDM-15234 [CVE] - Update to Swagger and Guava stable release
- TMDM-15170 Match & merge failed with confidence lower than minimum threshold while the confidence in simulate match is not lower than minimum threshold
- TMDM-15236 [CVE] Log entry injection in Spring Framework
- TMDM-15238 [CVE] - Liquibase upgrade
- TMDM-11353 Issues of 'Contains the sentence'
- TMDM-15234 return expected response for invalid request body
- TMDM-11556 Logon mdm server with role does not exist, click to "return to login screen" will show 404 error
- TMDM-15248 [CVE - 2022-22965] - Update Spring on MDM/Data Authoring
- TPS-5230 [8.0.1] [CVE-2022-22968] - Update Spring Libraries on MDM/Data Authoring (TMDM-15266)
- TMDM-15163 [CVE] - Upgrade Outdated eclipse plugin Library for MDM
- TMDM-15239 [CVE] - Upgrade Outdated Jackson Library for MDM
- TMDM-15241 [CVE] - Update outdated Jansi to 2.4.0
- TMDM-15257 Upgrade tomcat version to 9.0.62
- TMDM-15268 [CVE] - Update Apache CXF on MDM
- TMDM-15244 Error java.lang.ArrayIndexOutOfBoundsException: Index 2 out of bounds for length 2 when deploying new version of Data Model
- TMDM-15266 [CVE-2022-22968] - Update Spring Libraries on MDM
- TPS-5247 [8.0.1] [CVE-2022-22976] - Update Spring security libraries on MDM/Data Authoring(TMDM-15275)
- TMDM-15013 Error happens when sorting by FK column referenced to composite keys
- TMDM-15269 [CVE-2022-25647] Update outdated gson on MDM
- TMDM-15272 [CVE-2022-22970] - Update Spring Beans on MDM
- TMDM-15270 [CVE] - Upgrade Outdated ActiveMQ Library for MDM
- TMDM-15264 Some data is lost after restart MDM Server
- TMDM-15276 [CVE] - Update Hibernate
- TMDM-15275 [CVE-2022-22976] - Update Spring security libraries on MDM/Data Authoring
- TPS-5263 [8.0.1] Job inserting records using tMDMBulkLoad : several executions do not insert the same number of records (TMDM-15290)
- TMDM-15277 Remove retired Atom Dependencies(abdera)
- TMDM-15278 [CVE] - Update Restlet on MDM
- TMDM-15281 [CVE] - Update Talend commons.model
- TMDM-15282 [CVE] - Upgrade dependency of scim-common
- TMDM-12363 [RestAPI] Partial update APIs support before saving
- TMDM-15290 Job inserting records using tMDMBulkLoad : several executions do not insert the same number of records
- TPS-5308 [8.0.1] [CVE] - Update Spring Boot libraries (TMDM-15301)
- TMDM-15295 [CVE-2018-10054] - Update H2 for MDM
- TMDM-15293 Created record can not be associated to primary record due to its foreign key filter's constraint
- TMDM-15304 [CVE] - Fix XXE Vulnerabilities In MDM
- TMDM-15311 [CVE-2018-8088] - Update Log4j2(2.18.0)
- TMDM-15312 [CVE-2022-34169] - Fix CVE issues against Xalan
- TMDM-15288 [CVE] upgrade MapStruct for DA
- TMDM-15310 Upgrade commons-configuration:commons-configuration and org.apache.commons:commons-configuration2 to 2.8.0
- TMDM-15301 [CVE] - Update Spring Boot libraries
- TPS-5383 [8.0.1] [CVE] - Update commons-text (TMDM-15365)
- TMDM-15314 [CVE-2022-24329] - Update hazelcast(5.1.3)
- TMDM-15315 [CVE] - Update liquibase(4.15.0)
- TMDM-15303 Doesn't work to log SQL statements with their parameters
- TMDM-15344 [CVE] - Update SnakeYAML
- TMDM-15339 Update Apache Tomcat version to 9.0.65 to fix Spring
- TMDM-13137 [REST API] Correct status code of 204&404 for existing APIs
- TMDM-15345 [CVE] - Update Jackson Libraries
- TMDM-15354 [CVE-2022-40149] - Update Jettison
- TMDM-15366 [CVE] - Update woodstox-core from 6.2.6 to 6.4.0
- TMDM-15376 [CVE-2022-31692] - Update spring-security for MDM/DA
- TMDM-15365 [CVE] - Update commons-text
- TPS-5433 [8.0.1] [CVE] - Update or Replace SnakeYAML (TMDM-15382)
- TMDM-15361 [CVE-2022-42003] - Update outdated Jackson on MDM
- TMDM-15383 [CVE] - Update Apache CXF on MDM
- TMDM-15384 [CVE] - Update Apache POI on MDM
- TMDM-15385 [CVE] - Update Jettison on MDM
- TMDM-15390 Export/Import function not work
- TMDM-15388 [CVE] Replace commons-httpclient with Apache HttpClient5 in MDM
- TMDM-15386 [CVE] - Update Apache Log4J on MDM
- TMDM-15402 [CVE] - Update Gson on MDM/DA
- TMDM-15401 [CVE] - Update Spring Web on MDM
- TMDM-15382 [CVE] - Update or Replace SnakeYAML
- TPS-5479 [8.0.1] ehcache exception in Talend MDM (TMDM-15380)
- TMDM-15420 Json:20210307 | CVE-2022-45688
- TMDM-15412 [CVE] Improper Restriction of XML External Entity Reference
- TMDM-15422 commons-fileupload:1.4 | CVE-2023-24998
- TMDM-15414 Session Fixation attack
- TMDM-15413 XML Injection (aka Blind XPath Injection)
- TMDM-15380 ehcache issue when startup MDM
- TPS-5533 [8.0.1] spring-boot-autoconfigure:2.7.11 | CVE-2023-20883 (TMDM-15459)
- TMDM-15436 jettison:1.5.3 | CVE-2023-1436
- TMDM-15440 json-smart:2.4.8 | CVE-2023-1370
- TMDM-15437 spring-expression:5.3.25 | CVE-2023-20861
- TMDM-15450 Findings in: spring-security-web:5.8.1
- TMDM-15462 update guava to 32.0.1-jre
- TMDM-15457 update hazelcast version to fix CVE issue
- TMDM-15403 Update H2 on MDM2.2.220
- TMDM-15459 spring-boot-autoconfigure:2.7.11 | CVE-2023-20883
- TPS-5998 [8.0.1] Fix security issues
- TMDM-15479 Update commons-configuration2 to version 2.9.0
- TMDM-15481 Error "The statement failed due to arithmetic overflow when sending data stream." when try to delete an item
- TMDM-15482 Consolidate on one version for package aspectjweaver
- TMDM-15483 Consolidate on one version for package commons-io
- TMDM-15484 Consolidate on one version for package joda-time
- TMDM-15498 Error occurred while issuing audit event
- TMDM-15503 Json:20230227 | CVE-2023-5072
- TMDM-15499 avro:1.10.2 | CVE-2023-39410
- TMDM-15518 activemq-client:5.16.5 | CVE-2023-46604
- TMDM-15545 spring-boot:2.7.14 | CVE-2023-34055
- TMDM-15464 bcprov-jdk15on:1.70 | CVE-2023-33201
- TMDM-15540 logback-classic:1.2.11 | CVE-2023-6378
- TMDM-15574 commons-compress:1.21 | CVE-2024-26308
- TMDM-15588 Findings in: spring-web:5.3.31
- TMDM-15597 spring-security-core:5.8.10 | CVE-2024-22257
- TMDM-15613 org.apache.maven:maven-core from 3.0.5 to 3.8.1
- TMDM-15617 CVE-2024-28752 org.apache.cxf:cxf-core 3.5.5
- TMDM-15615 bcprov-jdk18on:1.77 | CVE-2024-34447
- TMDM-15608 Findings in: commons-configuration2:2.9.0
- TMDM-15591 spring-web:5.3.32 | CVE-2016-1000027
Prerequisites
Consider the following requirements for your system:
- Talend Studio 8.0.1 must be installed.
- Talend MDM Server 8.0.1 must be installed.
Installation
PATCH INSTALLATION NOTES FOR TALEND MDM SERVER 8.0.x
PRE-INSTALLATION
- Stop the MDM server
- Create a patch directory (eg: C:\MDM_Patch)
- Unzip patch file you receive from support into this directory
- Create a backup directory (eg: C:\MDM_Backup)
WEB APPLICATION REPLACEMENT
- Copy folder
<MDM_SERVER_HOME>
/apache-tomcat/webapps/talendmdm into the backup directory (DO NOT place talendmdm backup folder into webapps directory) - In
<MDM_SERVER_HOME>
/apache-tomcat/webapps/ directory, remove the previous talendmdm folder, then copy the talendmdm folder unzipped above and paste in the current directory - Copy folder <MDM_SERVER_HOME>/tools/dbmigration into the backup directory
- In <MDM_SERVER_HOME>/tools/ directory, remove the previous dbmigration folder, then copy the dbmigration folder unzipped above and paste in the current directory
- Copy folder
<MDM_SERVER_HOME>
/apache-tomcat/webapps/data-authoring-proxy into the backup directory (DO NOT place data-authoring-proxy backup folder into webapps directory) - In
<MDM_SERVER_HOME>
/apache-tomcat/webapps/ directory, remove the previous data-authoring-proxy folder, then copy the data-authoring-proxy folder unzipped above and paste in the current directory - Copy folder
<MDM_SERVER_HOME>
/apache-tomcat/webapps/ROOT into the backup directory (DO NOT place ROOT backup folder into webapps directory) - In
<MDM_SERVER_HOME>
/apache-tomcat/webapps/ directory, remove the previous ROOT folder, then copy the ROOT folder unzipped above and paste in the current directory - H2 database
- Install new MDM 8.0.1 with clean H2 database to apply the patch.
- Replace connection-url of H2 in
<MDM_SERVER_HOME>
/conf/datasouces.xml by<connection-url>jdbc:h2:$MDM_HOME/data/h2-Default/$DB_NAME;DB_CLOSE_ON_EXIT=FALSE</connection-url>
(Windows) - Do migration from old mdm server.
POST-INSTALLATION
- Restart the MDM server
- Clear browser cache on clients