Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
QlikWorld 2022, LIVE in Denver CO., May 16-19, 2022. REGISTER NOW TO RECEIVE EARLY BIRD PRICING

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

cancel
Showing results for 
Search instead for 
Did you mean: 
Sebastian_Linser

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Qlik GeoAnalytics Server and the Qlik GeoAnalytics Connector in combination with GeoAnalytics Plus are both affected by the log4j vulnerability.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release of Qlik GeoAnalytics and the relevant patch.

Upgrade at the earliest.

 

Mitigation steps are provided below should not upgrade be possible at this time. 

The Standard GeoAnalytics Connector without GeoAnalytics Plus is not affected by it, it does not use Java.

 

Environment:

 

 

Resolution for GeoAnalytics Server:

 

  1. Start the Configure Service application from the start menu.

    Sebastian_Linser_1-1639404259009.png

  2. Set the Java options ‐Dlog4j2.formatMsgNoLookups=true inside the Service Properties under the Java tab.

    Sebastian_Linser_0-1639404031447.png
  3. Restart all GeoAnalytics Services.

 

Resolution for GeoAnalytics Plus Connector:

 

  1. Open C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\IdevioGeoAnalyticsConnector.exe.config

  2. Locate the following line (located in appSettings)

    <add key="javaArgs" value=""/>
  3. Change the line to:

    <add key="javaArgs" value="-Dlog4j2.formatMsgNoLookups=true"/>

 

This applies only to GeoAnalytics Plus Connector Version May 2021 and higher.

 

Versions prior to February 2020 uses Log4j v1, which is not vulnerable to this exploit. To prevent any other possible vulnerabilities, we recommend upgrading to a newer version (higher than May 2021) of GeoAnalytics Plus and then applying the mitigation.

Alternatively, you can manually replace the Log4j library files with newer versions:

  1. Download the binaries of the latest release of Log4j2 (2.16 as of this  moment):  https://logging.apache.org/log4j/2.x/download.html 
  2. Extract the files 
  3. Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
  4. For all JAR files starting with "lib4j-"
    1. Copy the corresponding 2.16 JAR file to the lib folder
    2. Delete the old version of that JAR

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

 

As a short update we released:

  • GeoAnalytics Server - 4.32.4 - (November 2021 SR2)
  • GeoAnalytics Server - 4.32.3 - (November 2021 SR1)
  • GeoAnalytics Server - 4.19.1 - 4.27.3(February 2020 SR1 - May 2021 SR1)

 

  • GeoAnalytics Plus - 5.31.2 ( November 2021 SR2)
  • GeoAnalytics Plus - 5.31.1 ( November 2021 SR1)
  • GeoAnalytics Plus - 5.29.4-5.30.1 (May 2021 SR2 - August 2021 SR1)
  • GeoAnalytics Plus - 5.27.5-5.28.2 (November 2020 SR1-February 2021 SR1)
  • GeoAnalytics Plus - 5.26.5 (September 2020 SR2)
Comments
hermandup_anz
Contributor II
Contributor II

Does either or both of these fixes require outage at any point, i.e. service restarts?

aadil_madarveet
Partner
Partner

We are running Geo Analytics Server November 2018. 

Does this change apply. Any info on whats supported and whats not?

Thanks,

Aadil

JohannaR
Contributor II
Contributor II

Can we still expect a patch?

ker
Employee
Employee

@hermandup_anz:
The GA Server fix requires a restart of its service in order to apply.
The GA Plus fix similarly requires a restart if it is running. It will keep running in the background for a while after being used so you can open the process explorer and look for a matching Java process and kill that.

@aadil_madarveet:
GA Server Nov 2018 doesn't use Log4j 2 (we switched to ), it is using Log4j 1 so it is not vulnerable to this specific bug.
It is however quite outdated and might have other vulnerabilities in its dependencies so I would really recommend updating anyway.

@JohannaR:
We will focus on getting patches out for the latest versions first, and then go backwards (mainly since the earlier versions will need a bunch of build related changes backported which will require some work).
The first patches should be out by tomorrow at least.

jfkinspari
Partner
Partner

@ker 

Do you know from which version of GeoAnalytics the switch to Log4j 2 was made?

ker
Employee
Employee

@jfkinspariwe switched to Log4j2 in the February 2020 release of both GeoAnalytics Server and GeoAnalytics Plus.
I see that I forgot to add that to the post above.

janyf
Partner
Partner

Hello 

If there is no 

<add key="javaArgs" value=""/>

line in config file , it need to be added ? If yes to which section ? 

Sebastian_Linser

@janyf which version are you using? it would come in the appsettings section between <appsettings> and </appsettings>

 

ker
Employee
Employee

@janyf:
The option only works on GeoAnalytics Plus from the May 2021 version and onwards. I will ask the support team to update the page.

The recommended solution would be to upgrade to a newer version of GeoAnalytics Plus and then apply the mitigation.
You could also manually replace the Log4j library files with newer versions:

  1. Download the binaries of the latest release of Log4j2 (2.16 as of this  moment):  https://logging.apache.org/log4j/2.x/download.html and extract somewhere
  2. Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
  3. For all JAR files starting with "lib4j-"
    1. Copy the corresponding 2.16 JAR file to the lib folder
    2. Delete the old version of that JAR
janyf
Partner
Partner

@ker it is slightly confusing 

This is library 

janyf_0-1639483176129.png

but this is version when i run the connector : 

janyf_1-1639483224396.png

so it is possible we are not affected somehow (as there is still old lib) 

brgds 

Version history
Last update:
Wednesday
Updated by: