article CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate in Official Support Articles

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Jamie_Gregory — Tue, 25 Jan 2022 12:47:50 GMT

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell) for your release and the relevant patch.

Upgrade at the earliest.

Environment:

Mitigation steps to follow Replicate log4j vulnerability:

Mitigation - Endpoint Server - Windows

Edit the file <installation-root>\Replicate\endpoint_srv\bin\rependctl.bat

(<installation-root> typically refers to C:\Program Files\Attunity)

Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

@echo off
REM attunity endpoints server configuration/run script

FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA

REM list plugins here
SET AT_PLUGIN_LIST=-plugins rependsrv

REM set data directory based on the name of this script
SET AT_DATA_SUFFIX=
FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A

IF "%AT_DATA_SUFFIX%" == "" (
    SET AT_DATA=
) ELSE (
    SET AT_DATA=-d data_%AT_DATA_SUFFIX%
)

IF EXIST "%AT_PROD%\jvm" (
    SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
) ELSE IF EXIST "%AT_PROD%\..\jvm" (
    SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
) ELSE IF "%JAVA_HOME%" == "" (
    ECHO ERROR: JAVA Cannot be found
    EXIT /b -1
) ELSE (
    SET AT_JAVA=%JAVA_HOME%\bin\java.exe
)

SET AT_EXTERNAL=%AT_PROD%\externals
SET AT_LIB=%AT_PROD%\lib
SET AT_MAIN=com.attunity.infrastructure.server.PluginServer

REM                                         <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*

Save the file.
Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
$ cd <installation-root>\Replicate\endpoint_srv\externals\ $ ren log4j-core-<version#>.jar ..\log4j-core-<version#>.jar-vulnerable
Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar from this page and place it in the same location as the vulnerable jar.

Restart the Replicate Windows service with the command:

$ sc stop AttunityReplicateServer

$ sc start AttunityReplicateServer

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

Mitigation - Endpoint Server - Linux

Edit the file <installation-root>/replicate/endpoint_srv/bin/rependctl.sh (<installation-root> typically refers to /opt/attunity)

Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

#!/bin/bash

# attunity endpoints server configuration/run script

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

AT_PROD="${DIR}/.."

AT_PLUGIN_LIST="rependsrv"

if [ -d "${AT_PROD}/jvm" ]; then
    AT_JAVA="${AT_PROD}/jvm/bin/java"
elif [ -d "${AT_PROD}/../jvm" ]; then
    AT_JAVA="${AT_PROD}/../jvm/bin/java"
elif [ -z "$JAVA_HOME" ]; then
    echo "ERROR: JAVA Cannot be found"
    exit -1
else
    AT_JAVA="${JAVA_HOME}/bin/java"
fi

AT_EXTERNAL="${AT_PROD}/externals"
AT_LIB="${AT_PROD}/lib"
AT_MAIN="com.attunity.infrastructure.server.PluginServer"

if [ -z "$AT_DATA" ]; then
    AT_DATA="${AT_PROD}/data"
fi

AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"

#                         <----------- Fix Here --------->
"${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"

Save the file.
Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
$ cd <installation-root>/replicate/endpoint_srv/externals $ mv log4j-core-<version#>.jar ../log4j-core-<version#>.jar-vulnerable
Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar from this page and place it in the same location as the vulnerable jar.
Restart the Replicate service with the command:
```
# service areplicate restart
```

Mitigation - Client Samples in Java

The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

dcamacho — Mon, 13 Dec 2021 21:37:44 GMT

Is the Linux fix for this page correct? It looks like the Windows scripting is being used for the Linux version of the script.

Shouldn't "%AT_JAVA%" be "${AT_JAVA}"?

Best!

Dana

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

jfife — Mon, 13 Dec 2021 22:01:49 GMT

Yes, the Linux "fix" is incorrect. I just added ‐Dlog4j2.formatMsgNoLookups=true to the line in the existing file.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

dcamacho — Mon, 13 Dec 2021 22:05:53 GMT

Okay, that makes more sense to me.

Thank you!

Dana

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Tue, 14 Dec 2021 07:28:47 GMT

Hello All,

Please pay special attention that the first character (in red) is incorrect:

# <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC ‐Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8

it should be an hyphen. So far the first line is WRONG (it's in Unicode ), The second line is correct (it's ASCII Hyphen):

While you add the parameter, please manually change the first char to hyphen in Linux editor (or DO NOT copy it from page but input the string manually). Otherwise the Endpoint Server cannot be startup anymore with error in "repsrv.log":

00414190: 2021-12-14T15:05:06 [AT_GLOBAL ]I: Attunity Replicate Server Log (V2021.5.0.1082 qlik.localdomain Linux 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 64-bit, Revision:495b508a49b7f88b137640419bb7ced42be10909, PID: 414189) started at Tue Dec 14 15:05:06 2021 (at_logger.c:2652) 00414190: 2021-12-14T15:05:06 [AT_GLOBAL ]I: Licensed to Qlik, evaluation license (107 days remaining), all sources, all targets, all hosts (at_logger.c:2655) 00414190: 2021-12-14T15:05:06 [AT_GLOBAL ]I: Logging of database data is disabled (at_logger.c:2665) 00414190: 2021-12-14T15:05:06 [UTILITIES ]I: Scheduler configuration has been loaded. (scheduler.c:386) 00414190: 2021-12-14T15:05:06 [AT_GLOBAL ]E: Failed to set Endpoint Server admin password [1024713] (ar_endpoint_servers_mgr.c:866) 00414190: 2021-12-14T15:05:06 [AT_GLOBAL ]E: Failed to prepare the bundled endpoint server [1024713] (ar_endpoint_servers_mgr.c:437)

Regards,

John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Antony_05 — Tue, 14 Dec 2021 11:44:28 GMT

Hi,

I added this string in one of my qlik replicate server v6.6.0.177 but now when I'm starting the service again its not getting started.

Can anyone please help me on this.?

Thanks,

Antony S

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Tue, 14 Dec 2021 11:53:44 GMT

Hello @Antony_05 ,

Can you check my previous comment to see if it helps?

BTW, please check "repsrv.log" to get further information about the failure.

Regards,

John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Antony_05 — Tue, 14 Dec 2021 12:06:52 GMT

Hi @john_wang ,

I just used the same string as you previously mentioned in a comment and I saved it in ANSI format, after that I stopped the service using the same comment mentioned. But we I tried starting it again I got an error like the instance is running.

So I tried again after some time and now the start is running but the service is not getting started and when I'm trying to stop it shows the following error.

ERROR: "

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

Please help me on this.? Also please let me know where to find the repsrv.log file

Thanks,

Antony S

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Tue, 14 Dec 2021 12:14:00 GMT

Hello @Antony_05 ,

Well, you are running Replicate on Windows.

Please use the Windows Service Manager to start/stop the services. It's easier for you to know if the Service is running or not.

BTW, the "repsrv.log" default location is <installation-root>\Replicate\data\logs. For example "C:\Program Files\Attunity\Replicate\data\logs".

Regards,

John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Antony_05 — Tue, 14 Dec 2021 12:17:23 GMT

Hi @john_wang ,

I just restarted the machine and now the service is running fine. 🙂

Thanks,

Antony S

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Tue, 14 Dec 2021 12:43:15 GMT

Hi @Antony_05 ,

Glad to hear that.

Regards,
John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

parimalpatel — Tue, 14 Dec 2021 21:20:17 GMT

There are new updates on this issue stating
"LOG4J_FORMAT_MSG_NO_LOOKUPS=true as a mitigation for CVE-2021-44228: While this does help, an app *MAY* still be vulnerable, depending on how it uses log4j."

Can Qlik confirm if that's the case with Replicate V7 and if they're planning to release the patch or another temp fix to resolve this completely?

References:
https://twitter.com/wdormann/status/1470804255552557064

“Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.”
- from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

subuddir — Wed, 15 Dec 2021 08:51:33 GMT

Hi,

Is there any more update to the new information where the proposed action is not mitigating the vulnerability? @Jamie_Gregory

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

QR_user — Wed, 15 Dec 2021 08:52:06 GMT

In the mean time another Log4j vulnerability is discovered: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046.
How is this going to be addressed?

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

MarcinB — Wed, 15 Dec 2021 09:07:37 GMT

The latest from Apache that one of the previous mitigation steps (setting of JVM parameter "‐Dlog4j2.formatMsgNoLookups=True”) is now discredited. https://logging.apache.org/log4j/2.x/security.html.

Please provide update on how this affect you mitigation steps.

Thanks,

Marcin

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

bryce_leinan — Wed, 15 Dec 2021 17:43:14 GMT

Is there an estimate as to when a patch will be released? Our Enterprise IT is asking for an update.

Also, I have been bumbling my way through the support site... where do I find the latest version of Replicate? We're on November 2020 (7.0.0.267), and I would like to get us to a newer version.

Thanks!

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

alex_thornbury — Wed, 15 Dec 2021 23:07:59 GMT

John_wang, I can confirm your post about the leading dash character in Linux (specifically CentOS 7). In vim, that is not the hyphen character for sure.

Alex

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Thu, 16 Dec 2021 06:36:04 GMT

Hello @bryce_leinan ,

You can access Qlik Download site directly Software Download | Qlik.com,

and there is final patch delivery plan:

https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/bc-p/1870084#M2036

Hope this helps.

Regards,

John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

john_wang — Thu, 16 Dec 2021 06:36:41 GMT

Hello @alex_thornbury ,

thanks for your update.

Regards,

John.

Re: CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

bryce_leinan — Thu, 16 Dec 2021 16:26:46 GMT

Thanks @john_wang - unfortunately, the only thing I see is Qlik View... this was supposed to get fixed a year ago on my account, but it never was. I'll put in another ticket.