Skip to main content Skip to complementary content

TPS-5998 (cumulative patch)

Info Value
Patch Name Patch_20241212_TPS-5998_v1
Release Date 2024-12-12
Target Version 20211109_1610-V8.0.1
Product affected Talend MDM Server, Talend Studio

Introduction

This patch is cumulative. It includes all previous delivered patches for MDM 8.0.1

NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.

Fixed issues

This patch contains the following fixes:

  • TPS-5052 [8.0.1] Talend MDM Log4j CVE-2021-44228/CVE-2021-45046 Security Issue (TMDM-15199)
  • TMDM-15199 Talend MDM Log4j CVE-2021-44228/CVE-2021-45046 Security Issue
  • TPS-5078 [8.0.1] Log4j2 CVE-2021-45105/ CVE-2021-44832(Moderate) DOS attack Fix - Version(2.17.1 update)(TMDM-15206)
  • TMDM-15176 [CVE] Replace outdated commons-httpclient with Apache HttpClient in MDM
  • TMDM-15181 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • TMDM-15189 [CVE] - Update Spring on MDM
  • TMDM-15190 [CVE] - Update Apache CXF on MDM
  • TMDM-15194 [CVE] Update Jackson version
  • TMDM-15207 [DA] Clean packaging to remove undue log4j-core lib
  • TMDM-15206 MDM - Log4j2 CVE-2021-45105/ CVE-2021-44832(Moderate) - Version(2.17.1 update)
  • TPS-5125 [8.0.1] [CVE] - Update H2 version to 2.1.210 on MDM (TMDM-15201)
  • TMDM-15217 libraries added in ZIP file deployed to MDM server and in jobox/work
  • TMDM-15218 [CVE] - Update Spring dependencies on Data Authoring
  • TMDM-15210 Chore: Remove remaining log4j1 from maven build
  • TMDM-15220 [CVE] Upgrade xercesImpl to 2.12.2
  • TMDM-15182 Improper Restriction of XML External Entity Reference
  • TMDM-15221 ERROR User 'xx' is not allowed to perform following operation(s): update field ...
  • TMDM-15226 Avoid security issue from SQL Injection
  • TMDM-15203 [CVE] - Upgrade commons-io version to 2.7 reported in dependabot
  • TMDM-15229 [CVE] - Update XStream Core to 1.4.19
  • TMDM-15227 [CVE] - Hazelcast upgrade
  • TMDM-15201 [CVE] - Update H2 version to 2.1.210 on MDM
  • TPS-5155 [8.0.1] [CVE - 2022-22965] - Update Spring on MDM/Data Authoring (TMDM-15248)
  • TMDM-15232 Upgrade Liquibase version to 3.8.9
  • TMDM-15231 [CVE] commons-fileupload
  • TMDM-15234 [CVE] - Update to Swagger and Guava stable release
  • TMDM-15170 Match & merge failed with confidence lower than minimum threshold while the confidence in simulate match is not lower than minimum threshold
  • TMDM-15236 [CVE] Log entry injection in Spring Framework
  • TMDM-15238 [CVE] - Liquibase upgrade
  • TMDM-11353 Issues of 'Contains the sentence'
  • TMDM-15234 return expected response for invalid request body
  • TMDM-11556 Logon mdm server with role does not exist, click to "return to login screen" will show 404 error
  • TMDM-15248 [CVE - 2022-22965] - Update Spring on MDM/Data Authoring
  • TPS-5230 [8.0.1] [CVE-2022-22968] - Update Spring Libraries on MDM/Data Authoring (TMDM-15266)
  • TMDM-15163 [CVE] - Upgrade Outdated eclipse plugin Library for MDM
  • TMDM-15239 [CVE] - Upgrade Outdated Jackson Library for MDM
  • TMDM-15241 [CVE] - Update outdated Jansi to 2.4.0
  • TMDM-15257 Upgrade tomcat version to 9.0.62
  • TMDM-15268 [CVE] - Update Apache CXF on MDM
  • TMDM-15244 Error java.lang.ArrayIndexOutOfBoundsException: Index 2 out of bounds for length 2 when deploying new version of Data Model
  • TMDM-15266 [CVE-2022-22968] - Update Spring Libraries on MDM
  • TPS-5247 [8.0.1] [CVE-2022-22976] - Update Spring security libraries on MDM/Data Authoring(TMDM-15275)
  • TMDM-15013 Error happens when sorting by FK column referenced to composite keys
  • TMDM-15269 [CVE-2022-25647] Update outdated gson on MDM
  • TMDM-15272 [CVE-2022-22970] - Update Spring Beans on MDM
  • TMDM-15270 [CVE] - Upgrade Outdated ActiveMQ Library for MDM
  • TMDM-15264 Some data is lost after restart MDM Server
  • TMDM-15276 [CVE] - Update Hibernate
  • TMDM-15275 [CVE-2022-22976] - Update Spring security libraries on MDM/Data Authoring
  • TPS-5263 [8.0.1] Job inserting records using tMDMBulkLoad : several executions do not insert the same number of records (TMDM-15290)
  • TMDM-15277 Remove retired Atom Dependencies(abdera)
  • TMDM-15278 [CVE] - Update Restlet on MDM
  • TMDM-15281 [CVE] - Update Talend commons.model
  • TMDM-15282 [CVE] - Upgrade dependency of scim-common
  • TMDM-12363 [RestAPI] Partial update APIs support before saving
  • TMDM-15290 Job inserting records using tMDMBulkLoad : several executions do not insert the same number of records
  • TPS-5308 [8.0.1] [CVE] - Update Spring Boot libraries (TMDM-15301)
  • TMDM-15295 [CVE-2018-10054] - Update H2 for MDM
  • TMDM-15293 Created record can not be associated to primary record due to its foreign key filter's constraint
  • TMDM-15304 [CVE] - Fix XXE Vulnerabilities In MDM
  • TMDM-15311 [CVE-2018-8088] - Update Log4j2(2.18.0)
  • TMDM-15312 [CVE-2022-34169] - Fix CVE issues against Xalan
  • TMDM-15288 [CVE] upgrade MapStruct for DA
  • TMDM-15310 Upgrade commons-configuration:commons-configuration and org.apache.commons:commons-configuration2 to 2.8.0
  • TMDM-15301 [CVE] - Update Spring Boot libraries
  • TPS-5383 [8.0.1] [CVE] - Update commons-text (TMDM-15365)
  • TMDM-15314 [CVE-2022-24329] - Update hazelcast(5.1.3)
  • TMDM-15315 [CVE] - Update liquibase(4.15.0)
  • TMDM-15303 Doesn't work to log SQL statements with their parameters
  • TMDM-15344 [CVE] - Update SnakeYAML
  • TMDM-15339 Update Apache Tomcat version to 9.0.65 to fix Spring
  • TMDM-13137 [REST API] Correct status code of 204&404 for existing APIs
  • TMDM-15345 [CVE] - Update Jackson Libraries
  • TMDM-15354 [CVE-2022-40149] - Update Jettison
  • TMDM-15366 [CVE] - Update woodstox-core from 6.2.6 to 6.4.0
  • TMDM-15376 [CVE-2022-31692] - Update spring-security for MDM/DA
  • TMDM-15365 [CVE] - Update commons-text
  • TPS-5433 [8.0.1] [CVE] - Update or Replace SnakeYAML (TMDM-15382)
  • TMDM-15361 [CVE-2022-42003] - Update outdated Jackson on MDM
  • TMDM-15383 [CVE] - Update Apache CXF on MDM
  • TMDM-15384 [CVE] - Update Apache POI on MDM
  • TMDM-15385 [CVE] - Update Jettison on MDM
  • TMDM-15390 Export/Import function not work
  • TMDM-15388 [CVE] Replace commons-httpclient with Apache HttpClient5 in MDM
  • TMDM-15386 [CVE] - Update Apache Log4J on MDM
  • TMDM-15402 [CVE] - Update Gson on MDM/DA
  • TMDM-15401 [CVE] - Update Spring Web on MDM
  • TMDM-15382 [CVE] - Update or Replace SnakeYAML
  • TPS-5479 [8.0.1] ehcache exception in Talend MDM (TMDM-15380)
  • TMDM-15420 Json:20210307 | CVE-2022-45688
  • TMDM-15412 [CVE] Improper Restriction of XML External Entity Reference
  • TMDM-15422 commons-fileupload:1.4 | CVE-2023-24998
  • TMDM-15414 Session Fixation attack
  • TMDM-15413 XML Injection (aka Blind XPath Injection)
  • TMDM-15380 ehcache issue when startup MDM
  • TPS-5533 [8.0.1] spring-boot-autoconfigure:2.7.11 | CVE-2023-20883 (TMDM-15459)
  • TMDM-15436 jettison:1.5.3 | CVE-2023-1436
  • TMDM-15440 json-smart:2.4.8 | CVE-2023-1370
  • TMDM-15437 spring-expression:5.3.25 | CVE-2023-20861
  • TMDM-15450 Findings in: spring-security-web:5.8.1
  • TMDM-15462 update guava to 32.0.1-jre
  • TMDM-15457 update hazelcast version to fix CVE issue
  • TMDM-15403 Update H2 on MDM2.2.220
  • TMDM-15459 spring-boot-autoconfigure:2.7.11 | CVE-2023-20883
  • TPS-5998 [8.0.1] Fix security issues
  • TMDM-15479 Update commons-configuration2 to version 2.9.0
  • TMDM-15481 Error "The statement failed due to arithmetic overflow when sending data stream." when try to delete an item
  • TMDM-15482 Consolidate on one version for package aspectjweaver
  • TMDM-15483 Consolidate on one version for package commons-io
  • TMDM-15484 Consolidate on one version for package joda-time
  • TMDM-15498 Error occurred while issuing audit event
  • TMDM-15503 Json:20230227 | CVE-2023-5072
  • TMDM-15499 avro:1.10.2 | CVE-2023-39410
  • TMDM-15518 activemq-client:5.16.5 | CVE-2023-46604
  • TMDM-15545 spring-boot:2.7.14 | CVE-2023-34055
  • TMDM-15464 bcprov-jdk15on:1.70 | CVE-2023-33201
  • TMDM-15540 logback-classic:1.2.11 | CVE-2023-6378
  • TMDM-15574 commons-compress:1.21 | CVE-2024-26308
  • TMDM-15588 Findings in: spring-web:5.3.31
  • TMDM-15597 spring-security-core:5.8.10 | CVE-2024-22257
  • TMDM-15613 org.apache.maven:maven-core from 3.0.5 to 3.8.1
  • TMDM-15617 CVE-2024-28752 org.apache.cxf:cxf-core 3.5.5
  • TMDM-15615 bcprov-jdk18on:1.77 | CVE-2024-34447
  • TMDM-15608 Findings in: commons-configuration2:2.9.0
  • TMDM-15591 spring-web:5.3.32 | CVE-2016-1000027

Prerequisites

Consider the following requirements for your system:

  • Talend Studio 8.0.1 must be installed.
  • Talend MDM Server 8.0.1 must be installed.

Installation

PATCH INSTALLATION NOTES FOR TALEND MDM SERVER 8.0.x

PRE-INSTALLATION

  • Stop the MDM server
  • Create a patch directory (eg: C:\MDM_Patch)
  • Unzip patch file you receive from support into this directory
  • Create a backup directory (eg: C:\MDM_Backup)

WEB APPLICATION REPLACEMENT

  • Copy folder <MDM_SERVER_HOME>/apache-tomcat/webapps/talendmdm into the backup directory (DO NOT place talendmdm backup folder into webapps directory)
  • In <MDM_SERVER_HOME>/apache-tomcat/webapps/ directory, remove the previous talendmdm folder, then copy the talendmdm folder unzipped above and paste in the current directory
  • Copy folder <MDM_SERVER_HOME>/tools/dbmigration into the backup directory
  • In <MDM_SERVER_HOME>/tools/ directory, remove the previous dbmigration folder, then copy the dbmigration folder unzipped above and paste in the current directory
  • Copy folder <MDM_SERVER_HOME>/apache-tomcat/webapps/data-authoring-proxy into the backup directory (DO NOT place data-authoring-proxy backup folder into webapps directory)
  • In <MDM_SERVER_HOME>/apache-tomcat/webapps/ directory, remove the previous data-authoring-proxy folder, then copy the data-authoring-proxy folder unzipped above and paste in the current directory
  • Copy folder <MDM_SERVER_HOME>/apache-tomcat/webapps/ROOT into the backup directory (DO NOT place ROOT backup folder into webapps directory)
  • In <MDM_SERVER_HOME>/apache-tomcat/webapps/ directory, remove the previous ROOT folder, then copy the ROOT folder unzipped above and paste in the current directory
  • H2 database
    • Install new MDM 8.0.1 with clean H2 database to apply the patch.
    • Replace connection-url of H2 in <MDM_SERVER_HOME>/conf/datasouces.xml by <connection-url>jdbc:h2:$MDM_HOME/data/h2-Default/$DB_NAME;DB_CLOSE_ON_EXIT=FALSE</connection-url>(Windows)
    • Do migration from old mdm server.

POST-INSTALLATION

  • Restart the MDM server
  • Clear browser cache on clients

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!