Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

CVE_2021_44228 - Handling the LOG4J Lookups Critical Vulnerability for Qlik Catalog

cancel
Showing results for 
Search instead for 
Did you mean: 
Katie_Davis
Digital Support
Digital Support

CVE_2021_44228 - Handling the LOG4J Lookups Critical Vulnerability for Qlik Catalog

The following two configuration changes may be used to disable the expression evaluation feature of log4j2, and can immediately be applied to single-node Catalog May 2021 through Nov 2021, or any version of multi-node Catalog where log4j2 is on the cluster vendor's Hadoop classpath:

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

 

Environment

  • #QlikCatalog

 

Resolution for Qlik Catalog (May 2021-Nov. 2021)

 

Before proceeding, check the first page of Catalog 4.x fix with Log4j 2.17.0. It's highly recommended to apply the fix. However, if you're not ready for the upgrade and you wish to mitigate the vulnerabilities manually, then proceed with the steps below.

 

(1) add line to end of bin/setenv.sh:

export JAVA_OPTS="$JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true"

Can't find the file? 

The sample location of the file "setenv.sh":

Sonja_Bauernfeind_0-1640774568138.png

 

(2) find and edit property in core_env.properties:

# Pipe (|) delimited list of additional arguments to be passed to the Java runtime. Default: none

external.job.runner.extra.java.arguments=-Dlog4j2.formatMsgNoLookups=true

Can't find the file?

The sample location of the file "core_env.properites":

Sonja_Bauernfeind_1-1640774568287.png

 

(3) Restart Tomcat.

 

https://www.lunasec.io/docs/blog/log4j-zero-day-mitigation-guide/

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

Comments
john_wang
Support
Support

Hello @Katie_Davis , @Sonja_Bauernfeind ,

I'd like to add some extra information.

First of all, please check the first page of Catalog 4.x fix with Log4j 2.17.0. It's highly recommended to apply the fix. However if you're not ready for the upgrade and you wish to mitigate the vulnerabilities manually , then the location of the files are (depends on the tomcat version number):

1. the sample location of the file "setenv.sh" :

john_wang_0-1640665452068.png

 

2. the sample location of the file "core_env.properites":

john_wang_1-1640665509930.png

Hope this helps.

Regards,

John.

Version history
Last update:
‎2022-01-25 07:49 AM
Updated by: