FAQ for Log4J Vulnerabilities

Katie_Davis — Tue, 15 Feb 2022 20:30:41 GMT

Please visit our Support Updates Blog detailing Affected Product Chart and Release Solutions.

Where can I find more information on the log4j vulnerabilities and what they mean?

A: https://logging.apache.org/log4j/2.x/security.html

During December 2021, the Apache Log4j 2.x vulnerabilities (https://logging.apache.org/log4j/2.x/security.html) were found:

(1). CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228): A remote code execution (RCE) vulnerability in Apache Log4j 2.x referred to as "Log4Shell". Log4j fix: 2.15.0

(2). CVE-2021-45046 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046): Under certain conditions, the library is open to DDoS attacks. Log4j fix: 2.16.0.

(3). CVE-2021-45105 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105): A
second way that allows the remote connection. Log4j fix: 2.17.0.

(4). CVE-2021-44832 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832): An Arbitrary Code Execution exploit. It is also an RCE vulnerability. Log4j fix: 2.17.1.

When will patches be released?

The immediate risks to the current vulnerabilities have been addressed, and further releases will become available with their regular release schedule.

We are running Qlik Replicate (2021.5.0.1133) and Enterprise Manager (2021.5.0.465). If we upgrade to Qlik Replicate (2021.5.0.1272) and Enterprise Manager (2021.5.0.543) would address log4j vulnerability CVE-2021-44228?

Yes. (00020378) CVE-2021-44228, CVE-2021-45046 - is fixed by 2.16.0

The above latest build of Replicate and Enterprise Manager contains log4j 2.16.0.

If necessary, users may manually upgrade to log4j 2.17.1, the detailed steps are in article:

https://community.qlik.com/t5/Knowledge/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qlik/ta-p/1876190

Are there any patches for Qlik Replicate and Enterprise Manager 2021.11?

Yes. Please download Replicate 2021.11 SR1 (2021.11.0.165), QEM 2021.11 SP02 (2021.11.0.198)

- or -

https://files.qlik.com/url/qr2021110165sp02 (expires 3/31/2022)

https://files.qlik.com/url/qem2021110198sp02 (expires 3/31/2022)

Are there any patches for Qlik Replicate and Enterprise Manager 2021.5?

Yes. Please download Replicate 2021.5 SR5 (2021.5.0.1272), QEM 2021.5 SP09 (2021.5.0.543)

- or -

https://files.qlik.com/url/qr2021501272sp09 (expires 3/31/2022)

https://files.qlik.com/url/qem202150543sp09 (expires 3/31/2022)

Are there any patches for Qlik Replicate and Enterprise Manager 7.0 (Nov 2020)?

Yes. Please download Replicate 7.0 SR5 (7.0.0.1221) and QEM SR5 (7.0.0.1607)

- Or -

https://files.qlik.com/url/qr700967sp10 (expires 04/30/2022)

https://files.qlik.com/url/qem7001602sp10 (expires 04/30/2022)

Are there any patches for Qlik Replicate and Enterprise Manager 6.6 (Apr 2020)?

Yes. Please download Replicate 6.6 SR6 (6.6.0.904) and QEM SR3 (6.6.0.790)

- Or -

https://files.qlik.com/url/qr660904sp14 (expires 4/30/2022)

https://files.qlik.com/url/qem660790sp12 (expires 4/30/2022)

Are there any patches for Qlik Replicate and Enterprise Manger 5.5/6.2/6.3/6.4/6.5?

No. These versions are no longer being supported so it will not be patched for the log4j vulnerability. Please consider upgrading to supported versions.

Take note the upgrade should be 2 steps: 6.x > 6.6 > 2021.5 or 2021.11

Replicate 6.2 does not have this folder because it does not support endpoint server yet.

If you are upgrading from Replicate 5.5, please contact Qlik Support.

For more information, see the product lifecycle: https://community.qlik.com/t5/Product-Support-Lifecycle/Qlik-Replicate-Product-Lifecycle/ta-p/1837201

For mitigation steps, please see: https://community.qlik.com/t5/Knowledge/CVE-2021-44228-Handling-the-log4j-lookups-critical-vulnerability/ta-p/1869996

We are running Replicate 6.3/6.4. Does Log4j vulnerabilities impact the installation?

Replicate v6.3/6.4 does not include Endpoint Server and it is no longer supported. Please consider upgrading to supported versions.

The product lifecycle: https://community.qlik.com/t5/Product-Support-Lifecycle/Qlik-Replicate-Product-Lifecycle/ta-p/1837201

or mitigation steps: https://community.qlik.com/t5/Knowledge/CVE-2021-44228-Handling-the-log4j-lookups-critical-vulnerability/ta-p/1869996

Why do customers need to manually upgrade to 2.17.1?

We have reviewed a third Log4j vulnerability, CVE-2021-45105, and determined the relevant products (Replicate, Compose, QEM and GeoAnalytics) do not use the logging feature and context string defined in the CVE. Qlik considers the risks of Denial-Of-Service to be low and will address this in future regularly scheduled patch releases.

For Catalog, Qlik has published service releases for May, August, and November 2021 versions with upgraded Log4j 2.17.0 to the downloads page.

Do we need to manually upgrade to 2.17.1 for Replicate/Enterprise Manager?

Yes. Customers who require 2.17.1 will need to upgrade log4j manually. You can find instructions here: https://community.qlik.com/t5/Knowledge/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qlik/ta-p/1876190

Replicate:

Location to replace jar files: <installation-root>\Replicate\endpoint_srv\externals\ (Default location:C:\Program Files\Attunity\Replicate\endpoint_srv\externals)

QEM:

Location to replace jar files: <installation-root>\Enterprise Manager\java\external (Default location:C:\Program Files\Attunity\Enterprise Manager\java\external)

Qlik Compose:

Location to replace jar files: <installation-root>\Compose\java\external (Default location: C:\Program Files\Qlik\Compose\java\external)

Qlik Compose for Data Lakes:

Location to replace jar files: <installation-root>\Compose for Data Lakes\java\external (Default location: C:\Program Files\Attunity\Compose for Data Lakes\java\external)

Qlik Compose for Data warehouses:

Location to replace jar files: <installation-root>\Compose for Data warehouses\java\external (Default location: C:\Program Files\Attunity\Compose for Data Warehouses\java\external)

Do we need to manually upgrade to 2.17.1 for Compose?

Replicate:

Location to replace jar files: <installation-root>\Replicate\endpoint_srv\externals\ (Default location:C:\Program Files\Attunity\Replicate\endpoint_srv\externals)

QEM:

Location to replace jar files: <installation-root>\Enterprise Manager\java\external (Default location:C:\Program Files\Attunity\Enterprise Manager\java\external)

Qlik Compose:

Location to replace jar files: <installation-root>\Compose\java\external (Default location: C:\Program Files\Qlik\Compose\java\external)

Qlik Compose for Data Lakes:

Location to replace jar files: <installation-root>\Compose for Data Lakes\java\external (Default location: C:\Program Files\Attunity\Compose for Data Lakes\java\external)

Qlik Compose for Data warehouses:

Location to replace jar files: <installation-root>\Compose for Data warehouses\java\external (Default location: C:\Program Files\Attunity\Compose for Data Warehouses\java\external)

We followed the mitigation steps from the Qlik file and renamed the file name from "Log4j-core-2.14.1.jar" to "log4j-core-nolookup-2.14.1.jar". When upgrading to the latest build, do we need to rename the mentioned jar file name, or can we perform upgrade installation as-is?

Yes.

The best approach is renaming the jar files (log4j-core-nolookup-2.14.1.jar) to their original file name (log4j-core-2.14.1.jar) before upgrade or remove the files out of Replicate installation folder.

This is because Replicate installation program will try to remove the old jar files. If it cannot find it, a warning reported:

warning: file /opt/attunity/replicate/endpoint_srv/externals/log4j-core-2.14.1.jar: remove failed: No such file or directory

In this case, the installation program cannot remove the useless jar file, the unnecessary jar file left in the folder, there are 2 versions log4j-core jar files after the upgrade is done. Please remove the "log4j-core-nolookup-2.14.1.jar" manually and restart the services.

Which GeoAnalytics versions will be upgraded to 2.17?

The November 2021 release can be upgraded using the patch available on the downloads site.

Qlik recommends that customers on previous versions upgrade to the November 2021 release.

https://da3hntz84uekx.cloudfront.net/GeoAnalytics/4.32.4/31260/GeoAnalyticsServerReleaseNotes-November2021Patch2.pdf

What’s the mitigation steps for Visibility?

Qlik is providing these mitigation steps as a temporary measure. Detailed steps see:

https://community.qlik.com/t5/Knowledge/CVE-2021-44832-Handling-the-log4shell-vulnerability-for/ta-p/1877884

Re: FAQ for Log4J Vulnerabilities

Vikki — Thu, 12 May 2022 19:47:43 GMT

Is Log4j v2.3.2 the only version compatible with Visibility for this vulnerability. Under the general section on info about CVE02021-4428 noted below, it recommends at least v2.15.0. Is there a 2.15.0 version that can be downloaded and tested for Visibility?

(1). CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228): A remote code execution (RCE) vulnerability in Apache Log4j 2.x referred to as "Log4Shell". Log4j fix: 2.15.0

Please advise.

Regards,

Vikki turner

vikki.turner@pnc.com

article FAQ for Log4J Vulnerabilities in Get Started

FAQ for Log4J Vulnerabilities

Where can I find more information on the log4j vulnerabilities and what they mean?

When will patches be released?

We are running Qlik Replicate (2021.5.0.1133) and Enterprise Manager (2021.5.0.465). If we upgrade to Qlik Replicate (2021.5.0.1272) and Enterprise Manager (2021.5.0.543) would address log4j vulnerability CVE-2021-44228?

Are there any patches for Qlik Replicate and Enterprise Manager 2021.11?

Are there any patches for Qlik Replicate and Enterprise Manager 2021.5?

Are there any patches for Qlik Replicate and Enterprise Manager 7.0 (Nov 2020)?

Are there any patches for Qlik Replicate and Enterprise Manager 6.6 (Apr 2020)?

Are there any patches for Qlik Replicate and Enterprise Manger 5.5/6.2/6.3/6.4/6.5?

We are running Replicate 6.3/6.4. Does Log4j vulnerabilities impact the installation?

Why do customers need to manually upgrade to 2.17.1?

Do we need to manually upgrade to 2.17.1 for Replicate/Enterprise Manager?

Do we need to manually upgrade to 2.17.1 for Compose?

We followed the mitigation steps from the Qlik file and renamed the file name from "Log4j-core-2.14.1.jar" to "log4j-core-nolookup-2.14.1.jar". When upgrading to the latest build, do we need to rename the mentioned jar file name, or can we perform upgrade installation as-is?

Which GeoAnalytics versions will be upgraded to 2.17?

What’s the mitigation steps for Visibility?

Re: FAQ for Log4J Vulnerabilities