R2024-11-RT
Info | Value |
---|---|
Patch Name | Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT |
Release Date | 2024-11-22 |
Target Version | 20240524_1200-8.0.1.R2024-05-RT |
Product affected | Talend ESB Runtime |
Introduction
This patch is cumulative. It includes the previous generally available patches from Talend ESB Runtime 8.0.1.R2024-05-RT.
NOTE:
- To download this patch, contact Talend Support.
- Keeping Studio and Talend Runtime versions in sync is highly recommended. Using unaligned versions is a risk.
Prerequisites
Consider the following requirements for your system:
Talend ESB Runtime 8.0.1.R2024-05-RT must be installed. either as full build or by previously patching an older runtime with
Patch-20240524_R2024-05_v1-RT-8.0.1.R2023-08-RT.zip
. Installation of the present patch over an older Talend ESB runtime version is rejected. More information about the installation of this version is available in the online documentation: https://help.talend.com/r/en-US/Cloud/installation-guide-linux/upgrading-runtime.Depending on the product,
{container}
isTalend-ESB-V8.0.1.R2024-05-RT/container/
orTalend-Runtime-V8.0.1.R2024-05-RT/
For all inserted properties:
- if property already present (commented or uncommented), won't insert
- if property not already present, will backup related file in dir
{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/backup/
and insert property
For all updated properties:
- if property commented or not already present, won't update
- if property already present, will backup related file in dir
{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/backup/
and update property
If any change required, update value after patch execution.
Installation
Container
- Start Runtime Container
- Extract & replace the content of ZIP directory
container
into{container}
directory
Structure after extract & replace should be :
{container}
├───bin : existing dir
├───deploy : existing dir
├───etc : existing dir
├───...
├───patches : dir from current or previous patch
│ └───Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT
│ patch.bat
│ patch01.commands
│ patch02.commands
│ patch03.commands
│ patch.sh
│ talend-esb-patch-<version>.jar
│ logs/ : directory for logs installation
├───system : existing dir
│ ├───... : existing dir
├───...
Ensure username/password are right in
{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/patch.bat
or{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/patch.sh
... -u {username} -p {password} -f patch.commands ...
Execute
{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/patch.bat
or{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/patch.sh
- Ensure directory
{container}/patches/Patch_20241122_R2024-11_v1-RT-8.0.1.R2024-05-RT/logs
contains new log files :xxx-installation.log
: patch installation logxxx-init.log
: state before patch installationxxx-installed.log
: state after patch installationPlease note that Routes using cMap (TDM feature) are not automatically restarted by the patch procedure. You will need to restart the Runtime Container for changes to take effect.
Warning: JRE 11.0.20 or 17.0.8 may refuse to open JAR or other ZIP files from Talend ESB runtime or the patch
installer. They complain about invalid CEN headers. This is caused by an incompatibility with JARs and other ZIP
files created by commonly used Apache tools. It has been fixed with JRE 11.0.21 and 17.0.9, and you need to upgrade
your JRE to one of these or a newer version.
Warning: Some patches perform updates of the Bouncycastle libraries. This may lead to ssh connection errors
after patch when using Oracle jdk. A shutdown and restart of the Talend Runtime resolves the issue.
Warning: Patch 8.0.1.R2024-07-RT fixes a security issue with Talend ESB runtime SSH access:
If any of the system users "tadmin", "tesb", or "karaf" has the default password in "etc/users.properties", SSH access to the Talend ESB runtime is restricted to "127.0.0.1".
The corresponding property is "sshHost" in configuration "etc/org.apache.karaf.shell.cfg".
Warning: Patch 8.0.1.R2024-07-RT disables the usually unused jobserver monitoring port for security reasons:
If you are using the Talend ESB runtime with TAC and run DI jobs in the runtime and not in a separate standalone jobserver, you may get errors in TAC.
In this case, re-enable the jobserver monitoring port in "etc/org.talend.remote.jobserver.server.cfg".
Set "org.talend.remote.jobserver.server.TalendJobServer.ENABLE_MONITORING_PORT=true".
Warning: Patch 8.0.1.R2024-09-RT logs if any of the system users "tadmin", "tesb", or "karaf" has the default password in "etc/users.properties".
The warning is found in the log searching for "SECURITY WARNING" as log message prefix.
Warning: Patch 8.0.1.R2024-09-RT installation requires a manual restart of the Talend Runtime Container before deploying artifacts from the latest Talend Studio patch.
Notes
Bundle resolution errors
The updates are performed in three iterations. During the first and second iteration bundle resolution errors are showing up on the console and in the logs. This is expected, and these errors are resolved in the third iteration. The total patch process takes several minutes, but should not exceed 15 minutes depending on the number of features installed and the hardware.
Patching of libraries in lib/endorsed and lib/jdk9plus
When patching to version 8.0.1.R2024-09-RT, some JAR library files in directories {container}/lib/endorsed
and {container}/lib/endorsed
need to be updated.
In order to complete patching, the runtime must be re-started after the patch has been applied.
Configuration changes
- From patch 2023-12, the configuration key
org.ops4j.pax.web.ssl.password
is replaced byorg.ops4j.pax.web.ssl.keystore.password
(TPRUN-6883). Its default value is the environment or system variable TESBTLSKEYSTORE_PASSWORD. Iforg.ops4j.pax.web.ssl.password
has been customized,org.ops4j.pax.web.ssl.keystore.password
should be changed as well. org.ops4j.pax.web.ssl.clientauthneeded
is replaced byorg.ops4j.pax.web.ssl.clientauth.needed
Security fix of the provisioning agent web application (TPRUN-8652)
When applied to a full Talend ESB installation, patch 8.0.1.R2024-09-RT copies an updated version of the provisioning agent web application into add-ons/provisioning
with file name provisioning-agent-web-8.0.1.R2024-09-PT.war
.
This update ensures that profile name and version parameters are properly encoded when added to the lookup REST request and will not unexpectedly modify the URL. If in use, the provisiong agent web application should be updated.
R2024-11
Issues fixed in 2024-11
DPE (ex TPRUN)
- DPE-328: Issue deploying Route with Camel azure-storage-queue
- DPE-357: Avro version upgrade for Confluent Kafka dependencies
TDM
- QTDM-126: Update TDM maplang libraries to new version 1.13.0
- QTDM-215: [DSQL Map] Add databaseLookupAndUpdate and databaseUpdateAndLookup functions
- QTDM-219: [DSQL Map Editor] Incorrect decimal value at output
- QTDM-227: Remove support for Database Representation (Phase 1)
- QTDM-229: [8.0.1] cMap failing with Cannot invoke "String.length()" because "spec" is null
- QTDM-230: Behavior of Quote Mode changed between R2023-04 and R2024-04 so the new run fails with Null values
- QTDM-231: CVE-2024-47554 Commons-Io:commons-Io [2.0 ~ 2.13.0]
CVE fixed in 2024-11
CVE-2024-47561 avro 1.11.3 -> 1.11.4
R2024-10
Issues fixed in 2024-10
TPRUN
- TPRUN-8678: TESB RT 8.0.1: Remove dependency on undertow 2.2.x
TDM
- TDM-10781: [security] fix Uncontrolled data used in path expression
- TDM-10905: Remove ISREPAIRINGNAMESPACES mode from XML Writer
- TDM-10906: Adding additional namespace in xml root
- TDM-10968: [security] fix codeQL CWE in transform related to xstream
CVE fixed in 2024-10
CVE-2024-7885, CVE-2024-6162, ... remove undertow 2.2.x
R2024-09
Issues fixed in 2024-09
TPRUN
- TPRUN-8527: Disable process message port in Runtime for JobServer by default
- TPRUN-8552: Talend ESB runtime - CVE-2024-29736, CVE-2024-32007 in CXF 3.5.8
- TPRUN-8565: Talend ESB runtime - setting JAXP 1.5 properties triggers exception
- TPRUN-8550: Talend ESB runtime - improve warning for default passwords
- TPRUN-8605: Integrate latest JobServer patch version 8.0.2.202408011412patch into ESB
- TPRUN-8608: [8.0.1] Camel-cron not working on runtime
- TPRUN-8616: Talend ESB runtime 8.0.1 - Add commons-collections 3 as default dependency
- TPRUN-8621: CVE-2024-38808 - Update Spring to 5.3.39 in TESB runtime
- TPRUN-8185: Runtime SSL Client Auth property name change (documentation)
- TPRUN-8646: Talend ESB runtime 8.0.1 - update undertow to 2.2.34.Final
- TPRUN-8652: TESB RT 8.0.1: Harden provisioning lookup request URL building
CVE fixed in 2024-09
CVE-2024-29736, CVE-2024-32007 CXF 3.5.8 -> 3.5.9 CVE-2024-38808 spring 5.3.37 -> 5.3.39 CVE-2024-5971 undertow 2.2.33.Final -> 2.2.34.Final
R2024-07
Issues fixed in 2024-07
TPRUN
- TPRUN-6516: Provide JWT (JSON Web Token) Provider to STS service
- TPRUN-8398: Talend ESB 8.0.1 RT - CVE updates from June 2024 Trivy scans
- TPRUN-8483: Update <ESB-DIR>/add-ons/datasources/sap/README.txt
- TPRUN-8522: Disable JobServer monitoring port in runtime
- TPRUN-8523: Improve Talend ESB runtime security with default credentials - SSH access restriction to 127.0.0.1
- TPRUN-8523: Improve Talend ESB runtime security with default credentials - default password warning at local shell startup
TDM
- TDM-10732: [DSQL Map]Length of the EDI Interchange Control Number is not as expected
- TDM-10761: [DSQL Map] Cobol input trimming does not remove special characters
CVE fixed in 2024-07
CVE-2024-6162, CVE-2024-27316 undertow 2.2.31.Final -> 2.2.33.Final CVE-2021-47621 classgraph 4.8.25 -> 4.8.112
R2024-06
Issues fixed in 2024-06
TPRUN
- TPRUN-8231: Talend ESB runtime patching: Update feature file "specs" only if present
- TPRUN-8280: CVE-2023-5685 - Update of xnio in Talend ESB runtime
- TPRUN-8367: Talend ESB 8.0.1 RT - CVE-2024-37902 - update of djl api to 0.28.0
TDM
- TDM-10763: The error when read copybooks in TDM
- TDM-10856: NullPointerException using Flat Representation when log level is DEBUG
- TDM-10878: When the “major” and “minor” attributes are added in tHMap the default namespace is not set in the generated XML
- TDM-10896: install feature talend-data-mapper-eclipse on ESB runtime fails
CVE fixed in 2024-06
CVE-2023-5685 xnio 3.8.11.Final -> 3.8.14.Final CVE-2024-37902 ai.djl 0.21.0 -> 0.28.0
R2024-05
Issues fixed in 2024-05
TPRUN
- TPRUN-7972: Unable to deploy Route which has SMB Protocol in Runtime
- TPRUN-7514: Update of Talend ESB runtime Camel dependency to 3.20.9
- TPRUN-7908: Fix apache transitive dependencies in tesb repo
- TPRUN-8115: Integrate latest JobServer patch version 8.0.2.202405071504patch into ESB
- TPRUN-8070: Feature dependency camel-google-storage/0.0.0 is not available
- TPRUN-8138: Missing camel-zookeeper-master lib
TDM
- TDM-9959: CSV writer doesnt generate default header
- TDM-10554: Migrate DataFormatDateConverter from joda to java.time
- TDM-10737: Update TDM maplang libraries to new version 1.12.0
CVE fixed in 2024-05
- CVE-2024-28752 cxf 3.5.6 -> 3.5.8 (backport no longer required)
- CVE-2024-22243 spring 5.2.24 -> 5.3.34 (syncope, full build only)
- CVE-2022-22978 spring-security 5.3.13 -> 5.7.12 (syncope, full build only)
- CVE-2023-20873 spring-boot 2.7.6 -> 2.7.18 (syncope, full build only)
- CVE-2021-42575 owasp-java-html-sanitizer 20191001.1 -> 20211018.1 (syncope, full build only)
- CVE-2022-46364 cxf 3.3.13 -> 3.5.8 (syncope, full build only)
- CVE-2022-44729 batik-bridge 1.14 -> 1.31 (syncope, full build only)
- CVE-2022-25857 snakeyaml 1.27 -> 1.33 (syncope, full build only)
- CVE-2020-36518 ehcache 2.10.9.2 (embedded jackson-databind 2.11.1) removed (syncope, full build only)
For previous patches : see 2024-04 patch release notes