Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE

FAQ for Log4J Vulnerabilities

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Katie_Davis
Digital Support
Digital Support

FAQ for Log4J Vulnerabilities

Last Update:

Feb 15, 2022 3:30:41 PM

Updated By:

Katie_Davis

Created date:

Feb 15, 2022 3:26:54 PM

Please visit our Support Updates Blog detailing Affected Product Chart and Release Solutions.

  • Where can I find more information on the log4j vulnerabilities and what they mean?

A: https://logging.apache.org/log4j/2.x/security.html

During December 2021, the Apache Log4j 2.x vulnerabilities (https://logging.apache.org/log4j/2.x/security.html) were found:

(1). CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228): A remote code execution (RCE) vulnerability in Apache Log4j 2.x referred to as "Log4Shell". Log4j fix: 2.15.0

(2). CVE-2021-45046 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046): Under certain conditions, the library is open to DDoS attacks. Log4j fix: 2.16.0.

(3). CVE-2021-45105 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105): A
second way that allows the remote connection. Log4j fix: 2.17.0.

(4). CVE-2021-44832 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832): An Arbitrary Code Execution exploit. It is also an RCE vulnerability. Log4j fix: 2.17.1.

  • When will patches be released?

The immediate risks to the current vulnerabilities have been addressed, and further releases will become available with their regular release schedule.

  • We are running Qlik Replicate (2021.5.0.1133) and Enterprise Manager (2021.5.0.465). If we upgrade to Qlik Replicate (2021.5.0.1272) and Enterprise Manager (2021.5.0.543) would address log4j vulnerability CVE-2021-44228?

Yes. (00020378) CVE-2021-44228, CVE-2021-45046 - is fixed by 2.16.0

The above latest build of Replicate and Enterprise Manager contains log4j 2.16.0.

If necessary, users may manually upgrade to log4j 2.17.1, the detailed steps are in article:

https://community.qlik.com/t5/Knowledge/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qli...

  • Are there any patches for Qlik Replicate and Enterprise Manager 2021.11?

Yes. Please download Replicate 2021.11 SR1 (2021.11.0.165), QEM 2021.11 SP02 (2021.11.0.198)

- or -

https://files.qlik.com/url/qr2021110165sp02     (expires 3/31/2022)

https://files.qlik.com/url/qem2021110198sp02 (expires 3/31/2022)

  • Are there any patches for Qlik Replicate and Enterprise Manager 2021.5?

Yes. Please download Replicate 2021.5 SR5 (2021.5.0.1272), QEM 2021.5 SP09 (2021.5.0.543)

- or -

https://files.qlik.com/url/qr2021501272sp09   (expires 3/31/2022)

https://files.qlik.com/url/qem202150543sp09 (expires 3/31/2022)

  • Are there any patches for Qlik Replicate and Enterprise Manager 7.0 (Nov 2020)?

Yes. Please download Replicate 7.0 SR5 (7.0.0.1221) and QEM SR5 (7.0.0.1607)

- Or - 

https://files.qlik.com/url/qr700967sp10        (expires 04/30/2022)

https://files.qlik.com/url/qem7001602sp10 (expires 04/30/2022)

  • Are there any patches for Qlik Replicate and Enterprise Manager 6.6 (Apr 2020)?

Yes. Please download Replicate 6.6 SR6 (6.6.0.904) and QEM SR3 (6.6.0.790)

- Or - 

https://files.qlik.com/url/qr660904sp14     (expires 4/30/2022)

https://files.qlik.com/url/qem660790sp12 (expires 4/30/2022)

  • Are there any patches for Qlik Replicate and Enterprise Manger 5.5/6.2/6.3/6.4/6.5?

No. These versions are no longer being supported so it will not be patched for the log4j vulnerability. Please consider upgrading to supported versions.

Take note the upgrade should be 2 steps: 6.x  6.6 > 2021.5 or 2021.11

Replicate 6.2 does not have this folder because it does not support endpoint server yet.

If you are upgrading from Replicate 5.5, please contact Qlik Support.

For more information, see the product lifecycle: https://community.qlik.com/t5/Product-Support-Lifecycle/Qlik-Replicate-Product-Lifecycle/ta-p/183720...

For mitigation steps, please see: https://community.qlik.com/t5/Knowledge/CVE-2021-44228-Handling-the-log4j-lookups-critical-vulnerabi...

  • We are running Replicate 6.3/6.4. Does Log4j vulnerabilities impact the installation?

Replicate v6.3/6.4 does not include Endpoint Server and it is no longer supported. Please consider upgrading to supported versions.

The product lifecycle: https://community.qlik.com/t5/Product-Support-Lifecycle/Qlik-Replicate-Product-Lifecycle/ta-p/183720...

or mitigation steps: https://community.qlik.com/t5/Knowledge/CVE-2021-44228-Handling-the-log4j-lookups-critical-vulnerabi...

  • Why do customers need to manually upgrade to 2.17.1?

We have reviewed a third Log4j vulnerability, CVE-2021-45105, and determined the relevant products (Replicate, Compose, QEM and GeoAnalytics) do not use the logging feature and context string defined in the CVE. Qlik considers the risks of Denial-Of-Service to be low and will address this in future regularly scheduled patch releases.

For Catalog, Qlik has published service releases for May, August, and November 2021 versions with upgraded Log4j 2.17.0 to the downloads page.

  • Do we need to manually upgrade to 2.17.1 for Replicate/Enterprise Manager?

Yes. Customers who require 2.17.1 will need to upgrade log4j manually. You can find instructions here: https://community.qlik.com/t5/Knowledge/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qli...

Replicate:

Location to replace jar files: <installation-root>\Replicate\endpoint_srv\externals\ (Default location:C:\Program Files\Attunity\Replicate\endpoint_srv\externals)

QEM:

Location to replace jar files: <installation-root>\Enterprise Manager\java\external (Default location:C:\Program Files\Attunity\Enterprise Manager\java\external)

Qlik Compose:

Location to replace jar files: <installation-root>\Compose\java\external (Default location: C:\Program Files\Qlik\Compose\java\external)

Qlik Compose for Data Lakes:

Location to replace jar files: <installation-root>\Compose for Data Lakes\java\external (Default location: C:\Program Files\Attunity\Compose for Data Lakes\java\external)

Qlik Compose for Data warehouses:

Location to replace jar files: <installation-root>\Compose for Data warehouses\java\external (Default location: C:\Program Files\Attunity\Compose for Data Warehouses\java\external)

  • Do we need to manually upgrade to 2.17.1 for Compose?

Yes. Customers who require 2.17.1 will need to upgrade log4j manually. You can find instructions here: https://community.qlik.com/t5/Knowledge/CVE-2021-45105-CVE-2021-44832-Update-to-log4j-2-17-1-for-Qli...

Replicate:

Location to replace jar files: <installation-root>\Replicate\endpoint_srv\externals\ (Default location:C:\Program Files\Attunity\Replicate\endpoint_srv\externals)

QEM:

Location to replace jar files: <installation-root>\Enterprise Manager\java\external (Default location:C:\Program Files\Attunity\Enterprise Manager\java\external)

Qlik Compose:

Location to replace jar files: <installation-root>\Compose\java\external (Default location: C:\Program Files\Qlik\Compose\java\external)

Qlik Compose for Data Lakes:

Location to replace jar files: <installation-root>\Compose for Data Lakes\java\external (Default location: C:\Program Files\Attunity\Compose for Data Lakes\java\external)

Qlik Compose for Data warehouses:

Location to replace jar files: <installation-root>\Compose for Data warehouses\java\external (Default location: C:\Program Files\Attunity\Compose for Data Warehouses\java\external)

  • We followed the mitigation steps from the Qlik file and renamed the file name from "Log4j-core-2.14.1.jar" to "log4j-core-nolookup-2.14.1.jar". When upgrading to the latest build, do we need to rename the mentioned jar file name, or can we perform upgrade installation as-is?

Yes.

The best approach is renaming the jar files (log4j-core-nolookup-2.14.1.jar) to their original file name (log4j-core-2.14.1.jar) before upgrade or remove the files out of Replicate installation folder.

This is because Replicate installation program will try to remove the old jar files. If it cannot find it, a warning reported:

warning: file /opt/attunity/replicate/endpoint_srv/externals/log4j-core-2.14.1.jar: remove failed: No such file or directory

In this case, the installation program cannot remove the useless jar file, the unnecessary jar file left in the folder, there are 2 versions log4j-core jar files after the upgrade is done. Please remove the "log4j-core-nolookup-2.14.1.jar" manually and restart the services.

  • Which GeoAnalytics versions will be upgraded to 2.17?

The November 2021 release can be upgraded using the patch available on the downloads site.

Qlik recommends that customers on previous versions upgrade to the November 2021 release.

https://da3hntz84uekx.cloudfront.net/GeoAnalytics/4.32.4/31260/GeoAnalyticsServerReleaseNotes-Novemb...

  • What’s the mitigation steps for Visibility?

Qlik is providing these mitigation steps as a temporary measure. Detailed steps see:

https://community.qlik.com/t5/Knowledge/CVE-2021-44832-Handling-the-log4shell-vulnerability-for/ta-p...

Labels (1)
Labels:
5,922 Views
Was this article helpful? Yes No
Rate this article:
Comments
Vikki
Contributor II
Contributor II
‎2022-05-12 03:47 PM

Is Log4j v2.3.2 the only version compatible with Visibility for this vulnerability. Under the general section on info about CVE02021-4428 noted below, it recommends at least v2.15.0. Is there a 2.15.0 version that can be downloaded and tested for Visibility?

(1). CVE-2021-44228 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228): A remote code execution (RCE) vulnerability in Apache Log4j 2.x referred to as "Log4Shell". Log4j fix: 2.15.0

Please advise.

Regards,

Vikki turner

vikki.turner@pnc.com

0 Likes
Contributors
Version history
Last update:
‎2022-02-15 03:30 PM
Updated by:
Digital Support