https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480031#M12591 <P>Hi&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/161637">@PICTConversionTeamDevs</a>&nbsp;</P> <P>It doesn't seem like it would, but we should check on this issue with our internal support team / R &amp; D. We don't have a way to elevate issues from our forum to them, could you please open a support case for this?</P> <P>Thanks,</P> <P>Dana</P> Thu, 05 Sep 2024 20:09:16 GMT Dana_Baldwin 2024-09-05T20:09:16Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2479978#M12587 <P>we have found below two Vulnerability for file&nbsp;<SPAN>Attunity\Replicate\java\java_file_factory.jar</SPAN><BR /><SPAN>CVE-2019-17571</SPAN><BR /><SPAN>CVE-2022-23305<BR /><BR /></SPAN>Back in 2021, we did fix the Apache Log4j vulnerability by upgrading it to the higher version with the following documents, but somehow the file&nbsp;<SPAN>Attunity\Replicate\java\java_file_factory.jar still reference to old log4j</SPAN><BR /><BR /><SPAN>PS D:\Attunity\Replicate\endpoint_srv\externals&gt; ls log4j*</SPAN><BR /><BR /><BR /><SPAN>Directory: D:\Attunity\Replicate\endpoint_srv\externals</SPAN><BR /><BR /><BR /><SPAN>Mode LastWriteTime Length Name</SPAN><BR /><SPAN>---- ------------- ------ ----</SPAN><BR /><SPAN>-a---- 6/3/2020 11:09 AM 264060 log4j-api-2.11.1.jar</SPAN><BR /><SPAN>-a---- 6/3/2020 11:09 AM 1607947 log4j-core-2.11.1.jar-vulnerable</SPAN><BR /><SPAN>-a---- 12/17/2021 4:03 PM 1589223 log4j-core-nolookup-2.11.1.jar<BR /><BR /><BR /></SPAN>We know QLIK does not support Replicate 6.6 and can't provide any fix. Does anyone know if there is any fix/workaround to update the log4j version in file&nbsp;<SPAN>Attunity\Replicate\java\java_file_factory.jar<BR /><BR />we are planning to upgrade qlik replcate but that will take some time.&nbsp;</SPAN></P> Thu, 05 Sep 2024 15:32:23 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2479978#M12587 PICTConversionTeamDevs 2024-09-05T15:32:23Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480008#M12588 <P>Hi&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/161637">@PICTConversionTeamDevs</a>&nbsp;</P> <P>As you have mentioned, upgrading from version 6.6 is the best course of action to alleviate this vulnerability, but we do understand that an upgrade should be well planned and tested, especially when moving from an unsupported version as you will need to apply more than one upgrade.</P> <P>Please refer to this knowledge article on how to update log4j without upgrading Replicate. Please test this thoroughly in a pre-production environment before attempting in production:&nbsp;<A href="https://community.qlik.com/t5/Official-Support-Articles/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qlik/ta-p/1876190" target="_blank">CVE-2021-45105/CVE-2021-44832 - Update to log4j 2.... - Qlik Community - 1876190</A></P> <P>As you plan your upgrade, you may find this information helpful:</P> <P>Upgrade guide/best practices:&nbsp;<A href="https://community.qlik.com/t5/Official-Support-Articles/Qlik-Replicate-Upgrade-Best-Practices/ta-p/1729651" target="_blank">Qlik Replicate Upgrade Best Practices - Qlik Community - 1729651</A></P> <P>As noted in this link, please ensure your operating system, source/target endpoint versions are supported, and any needed updates to driver software are considered.</P> <P>Please refer to the release notes for the version you will upgrade to regarding which versions need to be installed to get to your desired end version.</P> <P>I hope this helps!</P> <P>Dana</P> Thu, 05 Sep 2024 18:22:27 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480008#M12588 Dana_Baldwin 2024-09-05T18:22:27Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480011#M12590 <P>Thanks for the details. We followed similar documents around 2021 to upgrade the log4j from 1.2.17 to 2.* version.</P> <P><SPAN>Directory: D:\Attunity\Replicate\endpoint_srv\externals</SPAN><BR /><BR /><BR /><SPAN>Mode LastWriteTime Length Name</SPAN><BR /><SPAN>---- ------------- ------ ----</SPAN><BR /><SPAN>-a---- 6/3/2020 11:09 AM 264060 log4j-api-2.11.1.jar</SPAN><BR /><SPAN>-a---- 6/3/2020 11:09 AM 1607947 log4j-core-2.11.1.jar-vulnerable</SPAN><BR /><SPAN>-a---- 12/17/2021 4:03 PM 1589223 log4j-core-nolookup-2.11.1.jar</SPAN><BR /><BR /><BR />but somehow this file "<SPAN>Attunity\Replicate\java\java_file_factory.jar"&nbsp;</SPAN>&nbsp; is still&nbsp; referencing to log4j 1.2.17<BR /><BR />Do you think upgrading the log4j from 2.11.1 to 2.17.1, as mentioned in this document will also update the log4j version in the file&nbsp;<SPAN>Attunity\Replicate\java\java_file_factory.jar??</SPAN></P> Thu, 05 Sep 2024 18:40:23 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480011#M12590 PICTConversionTeamDevs 2024-09-05T18:40:23Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480031#M12591 <P>Hi&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/161637">@PICTConversionTeamDevs</a>&nbsp;</P> <P>It doesn't seem like it would, but we should check on this issue with our internal support team / R &amp; D. We don't have a way to elevate issues from our forum to them, could you please open a support case for this?</P> <P>Thanks,</P> <P>Dana</P> Thu, 05 Sep 2024 20:09:16 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480031#M12591 Dana_Baldwin 2024-09-05T20:09:16Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480044#M12592 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/161637">@PICTConversionTeamDevs</a>&nbsp;,</P> <P>Besides&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/121014">@Dana_Baldwin</a>&nbsp;comments, looks to me the two&nbsp;<SPAN>vulnerabilities&nbsp;&nbsp;do not apply to Qlik Replicate as&nbsp;Qlik Replicate do not use the SocketServer class and&nbsp;Apache Chainsaw. Let's get confirmation from CF/R&amp;D.</SPAN></P> <P><SPAN>Thanks,</SPAN></P> <P><SPAN>John.</SPAN></P> Fri, 06 Sep 2024 01:24:43 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480044#M12592 john_wang 2024-09-06T01:24:43Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480227#M12606 <P>Thanks John,</P> <P>Those two vulnerabilities are for Log4J 1.2.17, referenced in qlik path \<SPAN>Attunity\Replicate\java\java_file_factory.jar.</SPAN></P> <P>We may need to either update the version in that jar file or remove the reference.<BR /><BR />I already have a QLIK case open regarding this issue.</P> <H1>00306526: Apache Log4j Vulenrability</H1> Fri, 06 Sep 2024 18:13:55 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480227#M12606 PICTConversionTeamDevs 2024-09-06T18:13:55Z https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480295#M12612 <P>Thank you&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/161637">@PICTConversionTeamDevs</a>&nbsp;, our support will work on it.</P> <P>Regards,</P> <P>John.</P> Sun, 08 Sep 2024 11:00:27 GMT https://community.qlik.com/t5/Qlik-Replicate/Apache-Log4j-Vulenrability/m-p/2480295#M12612 john_wang 2024-09-08T11:00:27Z