article CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics in Official Support Articles

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Sebastian_Linser — Thu, 27 Jan 2022 09:13:15 GMT

Qlik GeoAnalytics Server and the Qlik GeoAnalytics Connector in combination with GeoAnalytics Plus are both affected by the log4j vulnerability.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell) for your release of Qlik GeoAnalytics and the relevant patch.

Upgrade at the earliest.

Mitigation steps are provided below should not upgrade be possible at this time.

The Standard GeoAnalytics Connector for Qlikview and QlikSense (bundled) without GeoAnalytics Plus are not affected by it, they don't use Java.

Environment:

Resolution for GeoAnalytics Server:

Start the Configure Service application from the start menu.
Set the Java options ‐Dlog4j2.formatMsgNoLookups=true inside the Service Properties under the Java tab.
Restart all GeoAnalytics Services.

Resolution for GeoAnalytics Plus Connector:

Open C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\IdevioGeoAnalyticsConnector.exe.config
Locate the following line (located in appSettings)
```
<add key="javaArgs" value=""/>
```

Change the line to:

<add key="javaArgs" value="-Dlog4j2.formatMsgNoLookups=true"/>

This applies only to GeoAnalytics Plus Connector Version May 2021 and higher.

Versions prior to February 2020 uses Log4j v1, which is not vulnerable to this exploit. To prevent any other possible vulnerabilities, we recommend upgrading to a newer version (higher than May 2021) of GeoAnalytics Plus and then applying the mitigation.

Alternatively, you can manually replace the Log4j library files with newer versions:

Download the binaries of the latest release of Log4j2 (2.17.1 as of this moment): https://logging.apache.org/log4j/2.x/download.html
Extract the files
Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
For all JAR files starting with "lib4j-"
1. Copy the corresponding 2.17.1 JAR file to the lib folder
2. Delete the old version of that JAR

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

As a short update we released:

GeoAnalytics Server - 4.32.5 - (November 2021 SR3) - 2.17.1
GeoAnalytics Server - 4.19.2 - 4.27.4 (February 2020 SR2 - May 2021 SR2) - 2.17.1
GeoAnalytics Plus - 5.31.3 ( November 2021 SR3) - 2.17.1
GeoAnalytics Plus - 5.29.5-5.30.2 (May 2021 SR3 - August 2021 SR2) - 2.17.1
GeoAnalytics Plus - 5.27.6-5.28.3 (November 2020 SR2-February 2021 SR2) - 2.17.1
GeoAnalytics Plus - 5.26.6 (September 2020 SR3) - 2.17.1

GeoAnalytics Server - 4.32.4 - (November 2021 SR2) - 2.17.0
GeoAnalytics Server - 4.32.3 - (November 2021 SR1) - 2.16.0
GeoAnalytics Server - 4.19.1 - 4.27.3(February 2020 SR1 - May 2021 SR1) - 2.16.0

GeoAnalytics Plus - 5.31.2 ( November 2021 SR2) - 2.17.0
GeoAnalytics Plus - 5.31.1 ( November 2021 SR1) - 2.16.0
GeoAnalytics Plus - 5.29.4-5.30.1 (May 2021 SR2 - August 2021 SR1) - 2.16.0
GeoAnalytics Plus - 5.27.5-5.28.2 (November 2020 SR1-February 2021 SR1) - 2.16.0
GeoAnalytics Plus - 5.26.5 (September 2020 SR2) - 2.16.0

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

hermandup_anz — Tue, 14 Dec 2021 04:57:04 GMT

Does either or both of these fixes require outage at any point, i.e. service restarts?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

aadil_madarveet — Tue, 14 Dec 2021 06:12:11 GMT

We are running Geo Analytics Server November 2018.

Does this change apply. Any info on whats supported and whats not?

Thanks,

Aadil

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

JohannaR — Tue, 14 Dec 2021 07:10:55 GMT

Can we still expect a patch?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

KallePersson — Tue, 14 Dec 2021 08:44:23 GMT

@hermandup_anz:
The GA Server fix requires a restart of its service in order to apply.
The GA Plus fix similarly requires a restart if it is running. It will keep running in the background for a while after being used so you can open the process explorer and look for a matching Java process and kill that.

@aadil_madarveet:
GA Server Nov 2018 doesn't use Log4j 2 (we switched to ), it is using Log4j 1 so it is not vulnerable to this specific bug.
It is however quite outdated and might have other vulnerabilities in its dependencies so I would really recommend updating anyway.

@JohannaR:
We will focus on getting patches out for the latest versions first, and then go backwards (mainly since the earlier versions will need a bunch of build related changes backported which will require some work).
The first patches should be out by tomorrow at least.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

jfkinspari — Tue, 14 Dec 2021 09:04:09 GMT

@KallePersson

Do you know from which version of GeoAnalytics the switch to Log4j 2 was made?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

KallePersson — Tue, 14 Dec 2021 09:09:11 GMT

@jfkinspariwe switched to Log4j2 in the February 2020 release of both GeoAnalytics Server and GeoAnalytics Plus.
I see that I forgot to add that to the post above.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

janyf — Tue, 14 Dec 2021 10:04:31 GMT

Hello

If there is no

<add key="javaArgs" value=""/>

line in config file , it need to be added ? If yes to which section ?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Sebastian_Linser — Tue, 14 Dec 2021 10:52:41 GMT

@janyf which version are you using? it would come in the appsettings section between <appsettings> and </appsettings>

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

KallePersson — Tue, 14 Dec 2021 10:54:47 GMT

@janyf:
The option only works on GeoAnalytics Plus from the May 2021 version and onwards. I will ask the support team to update the page.

The recommended solution would be to upgrade to a newer version of GeoAnalytics Plus and then apply the mitigation.
You could also manually replace the Log4j library files with newer versions:

Download the binaries of the latest release of Log4j2 (2.16 as of this moment): https://logging.apache.org/log4j/2.x/download.html and extract somewhere
Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
For all JAR files starting with "lib4j-"
1. Copy the corresponding 2.16 JAR file to the lib folder
2. Delete the old version of that JAR

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

janyf — Tue, 14 Dec 2021 12:01:01 GMT

@KallePersson it is slightly confusing

This is library

but this is version when i run the connector :

so it is possible we are not affected somehow (as there is still old lib)

brgds

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

KallePersson — Tue, 14 Dec 2021 12:43:18 GMT

@janyfYes, that is Log4j 1 so it is safe from this vulnerability at least.
It is quite old though so I recommend that you upgrade GeoAnalytics Plus when we have a proper patched release out. But you should be ok for now.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

aki_martiskaine — Tue, 14 Dec 2021 14:15:56 GMT

Can I upgrade GeoAnalytics Plus to May 2021 or newer version regardless of GeoAnalytics Server or GA for Qlik Sense version?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

senior_v — Tue, 14 Dec 2021 16:26:27 GMT

We're using the Qlik GeoAnalytics version February 2020 (5.20.1) together with QlikView April 2019 SR3.

Since this GeoAnalytics version is affected and we're planning updating in early 2022 and you suggested updating in general.

Will GeoAnalytics May 2021 have any issues with the older QlikView April 2019 SR3?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Sebastian_Linser — Tue, 14 Dec 2021 18:25:53 GMT

@senior_v

You can use Qlikview April 2019 with May 2021 even November 2021 see here

https://help.qlik.com/en-US/geoanalytics/Subsystems/GeoChangelogQV/Content/qlikview/qlikview-changelog.htm

For Sense it's September 2019 or newer

https://help.qlik.com/en-US/geoanalytics/Subsystems/GeoChangelogS/Content/qliksense/qliksense-changelog.htm

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

senior_v — Thu, 16 Dec 2021 08:39:01 GMT

@Sebastian_Linser

Thanks, that's good news!

So we will update and go with log4j 2.16 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) to mitigate the risk.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Serkan — Thu, 16 Dec 2021 08:55:26 GMT

Hi @Sebastian_Linser :

Customer has a GeoQlik Server Version installed. Is there also an action needed due to the current Log4J Bug?

Here is also an screenshot about the log4j version:

This is in use with QlikView. What is your recommendation to do ?

Thanks for your feedback.

Regards

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Sebastian_Linser — Thu, 16 Dec 2021 09:17:39 GMT

@Serkan

Qlik is working on a patch for the GeoAnalytics server, for the moment you can only use the workaround with the additional parameter in the Java Settings.

GeoAnalytics Server - 4.32.3

Log4J Upgrade to 2.16.0

Late December

GeoAnalytics Server - 4.27.3 - 4.19.1

Log4J Upgrade to 2.16.0

Late December

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Sebastian_Linser — Thu, 16 Dec 2021 09:44:08 GMT

@Serkan one more update here. A Patch for GeoAnalytics Server 5.3 has been released and it includes the 2.16 libraries already. Just go tot he download page and get the latest release (Nov2021 SR1)

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

senior_v — Mon, 20 Dec 2021 12:26:53 GMT

As of last weekend it came out that log4j 2.16 doesn't mitigate the security flaw totally. log4j 2.17 seems to completly remove the feature.

Is there any update to 2.17 planned?