TPS-5619 (cumulative patch)
Info | Value |
---|---|
Patch Name | Patch_20240904_TPS-5619_v2-8.0.1 |
Release Date | 2024-09-04 |
Target Version | 20211109_1610-V8.0.1 |
Product affected | Jobserver |
Introduction
This patch is cumulative. It includes all previous generally available patches for Talend Jobserver 8.0.1 and 8.0.2.
NOTE: For information on how to obtain this patch, reach out to your Support contact at Talend.
Fixed issues
This patch contains the following fixes:
- TPS-5039 Mitigate / fix JobServer log4j2 vulnerabilities ( CVE-2021-44228 ) (TPRUN-2701)
- TPRUN-2543 Fix compatibility statement logged at JobServer startup
- TPS-5076 [8.0.1]including the possibility to define the certificate password when defining the SSL on jobserver and runtime (TPRUN-1805)
- TPRUN-2859 JobServer packages superfluous dependency slf4j-log4j12-1.7.32.jar
- TPRUN-3050 Upgrade Ant dependency in JobServer to avoid known vulnerabilities
- TPS-5111 [8.0.1] JMX port 8888 is inactive for runtime from TAC while enabling SSL (TPRUN-2948)
- TPRUN-3106 When archive was deleted, wrong job execution state will be returned.
- TPRUN-3152 JobServer secure mode is off by default.
- TPRUN-1294 Restrict impersonation users by default.
- TPRUN-2214 JobServer package should include a NOTICE file with licenses.
- TPRUN-3405 The FileListener does not jail the path to the jobserver deploy directory.
- TPRUN-3447 Provide info about job name in method for patch job execution command line.
- TPRUN-3508 AuthorizationKey is logged
- TPRUN-3527 Prevent race conditions in Remote Engine Gen1 parallel task execution
- TPRUN-3153 log4jshell fix seems to broke temp directory creator functionality when installing RE as service
- TPRUN-3697 JobServer should close stream of temporary context.
- TPRUN-3604 Unzipper Incorrect size limit check and created files not deleted in case of error
- TPRUN-3777 Non thread safe ClasspathJar writing
- TPRUN-3679 Modularize function required for user impersonation.
- TPS-5286 [8.0.1] Code cleanup & deprecation of 'launchFromShellScript' (TPRUN-3775)
- TPRUN-3605 JobServer - Unzipper add limits for nesting and path length
- TPRUN-3784 Update JobServer configuration/docs related to TLS version
- TPRUN-3948 Align versions of JAVA source/target, dependencies and plugins on pom(s).xml
- TPRUN-3790 Update Studio Utils to 1.0.8
- TPS-5360 [8.0.1] JobServer File server has no authentication. (TPRUN-3518)
- TPRUN-4022 Update patch creation process
- TPRUN-3916 Use RockyLinux as base image for JobServer docker in tests
- TPRUN-4131 Check Zip Slip and Zip Symlink vulnerabilities
- TPRUN-4203 A fatal error has been detected by the Java Runtime Environment
- TPRUN-4126 Upgrade to OSHI 6.2.2
- TPRUN-3836 Improve error message in case Job archive checks fail
- TPRUN-3523 Add ability to disable the monitoring service
- TPRUN-1740 Simplify approach to let users install patches and (windows) services
- TPRUN-4023 Reduce merging pain between active branches due to different logging framework
- TPRUN-4238 Attempt to publish a large job (while FileServer authentication is available?) causes a command server timeout
- TPRUN-4267 Folder name length check not working for ZIP without folder entries
- TPRUN-4203 A fatal error has been detected by the Java Runtime Environment: # # SIGBUS (0x7) at pc=0x00007ff897dfc37d, pid=553, tid=0x00007ff89f0fe700
- TPRUN-4400 JobServer client checkServer returns wrong compatibility info
- TPRUN-4255 Do not log warnings when properties are not set but default value exists
- TPRUN-4355 Ensure Copyright is up-to-date for JAVA classes with UnitTesting
- TPRUN-4269 After Unzipper Exception partially unzipped file remain
- TPRUN-3519 Add constraints on jobs to prevent DoS attacks
- TPS-5371 [8.0.1] Adding File path traversal guard and upgrade common-text due to CVS (TPRUN-4050)
- TPRUN-4515 Delete deployedJobPath directory before re-deploying
- TPRUN-4486 JobServer - Cleanings
- TPRUN-4447 JobServer start_jconsole.bat script has wrong classpath
- TPRUN-4761 Issue with FileEventsPacket
- TPRUN-4048 Review Merge compulsory requirements
- TPRUN-4694 JobServer CVE-2022-42889, org.apache.commons:commons-text:[1.4-1.9]
- TPRUN-4005 Reading issue due to improper locking of job resuming log
- TPRUN-3520 Check job archive signature
- TPRUN-4753 Job archives that do not have a signature can be executed
- TPS-5389 [8.0.1] Reading issue due to improper locking of job resuming log ( TPRUN-4005 )
- TPRUN-4523 Update osgi.cmpn to 5.0.0+ and org.osgi.core to 6.0.0+
- TPRUN-4892 parallel send protection error with tac and virtual servers
- TPRUN-4898 JobServer checks cause problems for TAC deployments
- TPRUN-4943 Ensure simple and consistent JobServer patch packaging
- TPRUN-4804 JobServer - Remove deprecated launch from shell script option
- TPRUN-4842 Check Archive Signature - set default behaviour to ON_UPLOAD and update documentation
- TPRUN-5363 synchronized method in copy() cause all deployment to be queued in "SENDING SCRIPT" in tac
- TPS-5451 synchronized method in copy() cause all deployment to be queued in "SENDING SCRIPT" in tac (TPRUN-5363)
- TPRUN-5249 Job execution failures with long classpaths and impersonation
- TPRUN-5106 JobServer client: provide a way to distinguish between recoverable and unrecoverable failures on JobServer side
- TPRUN-5151 Correct JobServer API doc and fix parent related cleanup
- TPRUN-5125 Update OSHI in JobServer to support Win11
- TPRUN-3526 DI tasks run with 'Run as Impersonate User' are failing on Windows 2019
- TPRUN-3952 Fix confusing error output on TalendJobServerStopper
- TPS-5507 Job execution failures with long classpaths and impersonation (TPRUN-5249)
- TPRUN-5901 Ensure that CACHECRCMAP size cannot grow unlimitedly and block job deployment
- TPRUN-6233 Missing patchassembly.xml & fix patchversion.sh
- TPS-5518 Missing package org.apache.commons.io.IOUtils, & Incorrect jna dependency version (TPRUN-6209)
- TPRUN-6393 Allow setting of client socket read timeout
- TPRUN-6141 Handling of security setting MAXJOBNB ambiguous and confusing
- TPRUN-6485 Improve JS client error message / CommandClient.requiresRetry(exception)
- TPRUN-6581 Minimize JMX dependencies to fix JobServer SBOM
- TPRUN-7730 Improve JS client recoverable error check / CommandClient.requiresRetry(exception)
- TPRUN-7139 Clean up debug logs related to FileServer authentication that confuse customers
- TPRUN-8126 provide info about deployed job path into CommandLineHandler
- TPRUN-8152 Allow public access to ServerInfoCentralizer.addRatedServer
- TPRUN-8233 JobServer fails to handle exceptions thrown inside command line handler
- TPRUN-7853 Duplicate parameter in monitoring_client.properties
- TPRUN-8184 Add schedules to JobServer patch build jobs to trigger regular trivy scans implicitly
- TPRUN-8344 Remove Veracode SCA scan Jenkins jobs from JobServer branches
- TPRUN-6160 Implement solution to support secure monitoring with Java 17
- TPS-5619 Implement solution to support secure monitoring with Java 17
Fixed CVEs
- CVE-2021-44228 ( log4j2 - execute arbitrary code loaded from LDAP servers )
- CVE-2021-44832 ( log4j2 - remote code execution attack in JMSAppender )
- CVE-2021-45046 ( log4j2 - information leak and remote code execution )
- CVE-2021-45105 ( log4j2 - uncontrolled recursion from self-referential lookups )
- CVE-2021-36373 ( Ant TAR )
- CVE-2022-42889 ( Apache Commons Text - Arbitrary Code Execution )
Prerequisites
Consider the following requirements for your system:
- Talend Jobserver 8.0.1 or 8.0.2 must be installed.
Installation
- Create a backup of the files in
<jobserver_home>/lib
,<jobserver_home>/conf
and the*.bat
and*.sh
scripts. - Stop Jobserver.
- Remove all files from
<jobserver_home>/lib
,<jobserver_home>/*.sh
and<jobserver_home>/*.bat
. - Replace them with their patched counterparts.
Recommended change for all JobServers running in production environments
# Enable the process message publisher or not. Recommendation for production environments: false org.talend.remote.jobserver.server.TalendJobServer.ENABLED_PROCESS_MESSAGE=false
Recommended change of following configuration properties in <jobserver_home>/conf/TalendJobserver.properties in case you use SSL:
# Enabled protocols for JobServer socket communication org.talend.remote.server.ssl.enabled.protocols=TLSv1.2,TLSv1.3 # Enabled protocols for JMX management server org.talend.jmxmp.ssl.enabled.protocols=TLSv1.2,TLSv1.3
Recommended to set following configuration property to
false
in case you want to disable the Monitoring Port 8888:# Enable the Monitoring port or not. true by default org.talend.remote.jobserver.server.TalendJobServer.ENABLE_MONITORING_PORT=false
( Note: If you set this to
false
, TAC will not be able to monitor this JobServer and rating for Virtual JobServers will not work anymore. )Add the following configuration properties to
<jobserver_home>/conf/TalendJobserver.properties
:It is recommended to set the following configuration property to true:
# Set to true to enable authorization for all jobserver commands (recommended) org.talend.remote.jobserver.commons.config.JobServerConfiguration.SECURITY_MODE=true
The following configuration property enables authorization for all job file deployments. This requires that on client-side ( TAC, Studio ) support for file server authorization must be available and the system property org.talend.remote.jobserver.client.old has be set to false. For more details refer to the documentation.
# Set to true to enable authorization for all job file deployments ( Requires additional configuration for TAC and Studio. ) org.talend.remote.jobserver.commons.config.JobServerConfiguration.FILESERVER_AUTHORIZATION=true
The following configuration have been added to add constraints on job to prevent Denial Of Service attacks. High default have been defined, it is recommended to adapt these to your environment.
# Maximum number of file listeners, 0 = No limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_FILE_LISTENERS=6000 # Maximum number of library dependencies embedded in a job org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_NB=1000 # Maximum size of all library dependency names for a job org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_SIZE=100KB # Maximum number of deployed jobs, 0 = No Limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_NB=6000 # Max size that a job archive is allowed to be. The default is 1G, 0 = No limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_FILE_SIZE=1G # Maximum size of TalendJobServersFiles/archiveJobs folder, 0 = No limit, 0 = No Limit org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE=100G
The following configuration have been added to activate job archive signature check.
# Activate job archive signature, 1 or more values separated by comma (','). # Possible values are: # - 'ON_DEPLOY' (legacy) # - 'ON_UPLOAD' (advised & default) org.talend.remote.jobserver.commons.config.JobServerConfiguration.JOB_ARCHIVE_SIGNATURE_CHECK=ON_UPLOAD
An empty allow list for impersonation users is not supported anymore. If you want to allow impersonation for anyone and support jobs running without impersonation, you need to explicitly set:
org.talend.remote.jobserver.server.TalendJobServer.RUN_AS_ALLOWLIST=anybody
Please refer to the following examples to understand this setting:
RUNASALLOWLIST | Run as user | Execution | Explanation |
---|---|---|---|
accepted | No impersonation, OK | ||
anybody | accepted | No impersonation, OK | |
anybody | jim | accepted | All users allowed |
* | refused | Must specify a user | |
* | jim | accepted | All users allowed |
jim,jules | refused | Must specify a user from the list | |
jim,jules | jim | accepted | jim is in the list |
ju* | jules | accepted | jules matches ju* |
- Check Read, Write & Execution rights on files
Per default, the rights should be:
rw-r--r--
(i.e.0664
) per default, meaning everybody can read, but only the owner can overwrite the filerwxr-xr-x
(i.e.0655
) for *.sh files, meaning everybody can read & execute, but only the owner can overwrite the file
If needed, feel free to update these rights to match your current installation environment.
Especially to allow further patch updates by a non-owner user, you might want to allow other users to have Write access.
Start Jobserver
For JobServer clients ( TAC, Studio ) the new system property
org.talend.remote.client.socketReadTimeout=<timeoutMillisec>
allows specification of a client socket read timeout. Setting this to a positive number ( e.g. 30000 ) this can prevent long delays until job executions start.
Uninstallation
- Stop Jobserver.
- Remove the files in
<jobserver_home>/lib
,<jobserver_home>/conf
and the*.bat
and*.sh
scripts. and restore the unpatched counterparts from your backup. - Start Jobserver
Affected files for this patch
All files in <jobserver_home>/lib
, <jobserver_home>/conf
and the *.bat
and *.sh
scripts.
New configuration parameters
```
# Set password of server side ssl key (command and file server) - optional
org.talend.remote.server.ssl.keyPassword=<jobserver_key_password>
# Set password of server side ssl key (monitoring server) - optional
org.talend.jmxmp.ssl.keyPassword=<monitoring_server_key_password>
# Maximum length of zip file names:
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ZIP_NAME_LENGTH=240
# Restrict the length of any folder name in paths inside the zip file:
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_UNZIPPED_FOLDER_NAME_LENGTH=240
# Restrict the length of any file name inside the zip file (which contains the relative path of the zipped file):
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_UNZIPPED_FILE_NAME_LENGTH=240
# Restrict the nesting levels of folders inside the zip file:
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ZIP_DEPTH=64
# Enable the Monitoring port or not. true by default
org.talend.remote.jobserver.server.TalendJobServer.ENABLE_MONITORING_PORT=true
# Set to true to enable authorization for all job file deployments ( Requires additional configuration for TAC and Studio. )
org.talend.remote.jobserver.commons.config.JobServerConfiguration.FILESERVER_AUTHORIZATION=false
# Maximum number of file listeners, 0 = No limit
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_FILE_LISTENERS=6000
# Maximum number of library dependencies embedded in a job
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_NB=1000
# Maximum size of all library dependency names for a job
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_LIBRARY_DESC_SIZE=100KB
# Maximum number of deployed jobs, 0 = No Limit
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_NB=6000
# Max size that a job archive is allowed to be. The default is 1G, 0 = No limit
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_JOB_FILE_SIZE=1G
# Maximum size of TalendJobServersFiles/archiveJobs folder, 0 = No limit, 0 = No Limit
org.talend.remote.jobserver.commons.config.JobServerConfiguration.MAX_ARCHIVES_DIR_SIZE=100G
# Activate job archive signature, 1 or more values separated by comma (',').
# Possible values are:
# - 'ON_DEPLOY' (legacy)
# - 'ON_UPLOAD' (advised & default)
org.talend.remote.jobserver.commons.config.JobServerConfiguration.JOB_ARCHIVE_SIGNATURE_CHECK=ON_UPLOAD
# Absolute paths blocked for usage with file listeners for security reasons.
# Remove a path if you really want to listen to a file located at a path starting with a string specified here.
# Replace with "/" if you want to disable all file listeners
org.talend.remote.jobserver.commons.config.JobServerConfiguration.FILE_LISTENER_BLOCKED_PATHS=/etc,/proc,/dev,/root,/lib,/boot,/sys,/var**
```
Removed features
TPRUN-3775
When the option org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT
was set to false
(which is the default value), the script files were regenerated in :
- deployedJobPath/[jobName]/[jobName]_run.bat for Windows
- deployedJobPath/[jobName]/[jobName]_run.sh for UNIX
These files will no longer be regenerated ( updated with valid classpath ) and thus will not be executable anymore. To see executed command please use the debug level log.
TPRUN-3775
The possibility to launch from shell script using option org.talend.remote.jobserver.commons.config.JobServerConfiguration.LAUNCH_SHELL_SCRIPT
set to true
is deprecated and will be removed in end 2022.
Deprecated features
The configuration property org.talend.remote.jobserver.commons.config.JobServerConfiguration.JOB_LAUNCHER_PATH
is deprecated.
It is not recommended to use this property anymore. It will not work for jobs that spawn independent sub jobs: the sub jobs
would start with the first JVM found on the user path instead of the one configured in this configuration setting.
See recommended way to configure alternate JVMs for Jobserver is documented here: Configuring the JVM for your Talend JobServer