This post is intended for Talend customers running a Talend product version between 5.4.x and 5.6.1 and have the Talend Log Server installed.
We have identified a security vulnerability present in ElasticSearch 1.1.1, a component included with Talend Log Server in versions 5.4.x through 5.6.1. This vulnerability utilizes dynamic scripting, which allows remote attackers with network access to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Further, a cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
If you have not installed Talend Log Server, or are running a version of Talend software prior to 5.4.x, you are not affected.
However, if you are running a Talend product version between 5.4.x and 5.6.1, and have the Talend Log Server installed, it is necessary to make the following configuration changes to properly secure your system:
1. Create a file called elasticsearch.yml in your Talend Log Server directory (/Talend/<version>/Talend-LogServer)
2.Edit the file and add the following entries:
3. Restart the Log Server.
For more information please refer to Talend Jira System TUP-2775: https://jira.talendforge.org/browse/TUP-2775 .
More information about the CVE (Common Vulnerabilities and Exposures) IDs related to the Elastic Search vulnerabilities can be found at CVE 2014-3120 http://www.cve.mitre.org/cgi-bin/cvenam … =2014-3120 and CVE 2014-6439 http://www.cve.mitre.org/cgi-bin/cvenam … =2014-6439 .
Frequently Asked Questions:
Q. I’m running Talend Log Server. Is my system vulnerable to attackers?
If your system is properly secured behind a firewall, it would only be vulnerable to attacks from within your internal network. Talend recommends that you apply the configuration changes above to ensure that the system is not open to malicious attacks.
Q. I’m not sure if I installed Talend Log Server. How can I identify if it’s running?
You can check what services your system is running. In Windows, click on the start menu and type “services.msc” for a complete list. If you see Talend Logserver, the service is installed. Other ways to locate the log server:
On windows, type netstat -na | find "9200" into the command prompt, and verify if a service is running on port 9200. On Linux, the command would be netstat –p 9200.
Q. I see that I’m running the Talend Log Server. Instead of disabling dynamic scripting, can I turn off the Log Server entirely?
Yes. When viewing your Windows services, right click on the Talend Log Server, and select “stop”. Then select Properties, and change the service from “Automatic” to “Disabled”. The log server will no longer initialize when the server restarts.
Q. Are future versions of Talend software affected?
Starting with version 5.6.2, dynamic scripting will no longer be enabled for Talend Log Server. For Talend 6.0, the version of ElasticSearch included does not contain these vulnerabilities.
For any additional questions, please go to http://talend.com/ and contact Talend Support.
The Talend Team.