CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

Environment:

• Qlik Replicate 

Mitigation steps to follow Replicate log4j vulnerability:

Mitigation - Endpoint Server - Windows

1. Edit the file <installation-root>\Replicate\endpoint_srv\bin\rependctl.bat 
   
   (<installation-root> typically refers to C:\Program Files\Attunity)
   
   
2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):
   
   

   @echo off
   REM attunity endpoints server configuration/run script
   
   FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA
   
   REM list plugins here
   SET AT_PLUGIN_LIST=-plugins rependsrv
   
   REM set data directory based on the name of this script
   SET AT_DATA_SUFFIX=
   FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A
   
   IF "%AT_DATA_SUFFIX%" == "" (
       SET AT_DATA=
   ) ELSE (
       SET AT_DATA=-d data_%AT_DATA_SUFFIX%
   )
   
   IF EXIST "%AT_PROD%\jvm" (
       SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
   ) ELSE IF EXIST "%AT_PROD%\..\jvm" (
       SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
   ) ELSE IF "%JAVA_HOME%" == "" (
       ECHO ERROR: JAVA Cannot be found
       EXIT /b -1
   ) ELSE (
       SET AT_JAVA=%JAVA_HOME%\bin\java.exe
   )
   
   SET AT_EXTERNAL=%AT_PROD%\externals
   SET AT_LIB=%AT_PROD%\lib
   SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
   
   REM                                         <--------------- Fix Here ------------→
   "%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*

3. Save the file.
4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
   

   $ cd <installation-root>\Replicate\endpoint_srv\externals\
   
   $ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable

5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
6. Restart the Replicate Windows service with the command:
   
   

   $ sc stop AttunityReplicateServer
   
   $ sc start AttunityReplicateServer

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

Mitigation - Endpoint Server - Linux

1. Edit the file <installation-root>/replicate/endpoint_srv/bin/rependctl.sh (<installation-root> typically refers to /opt/attunity)
2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):
   
   

   #!/bin/bash
   
   # attunity endpoints server configuration/run script
   
   DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
   
   AT_PROD="${DIR}/.."
   
   AT_PLUGIN_LIST="rependsrv"
   
   if [ -d "${AT_PROD}/jvm" ]; then
       AT_JAVA="${AT_PROD}/jvm/bin/java"
   elif [ -d "${AT_PROD}/../jvm" ]; then
       AT_JAVA="${AT_PROD}/../jvm/bin/java"
   elif [ -z "$JAVA_HOME" ]; then
       echo "ERROR: JAVA Cannot be found"
       exit -1
   else
       AT_JAVA="${JAVA_HOME}/bin/java"
   fi
   
   AT_EXTERNAL="${AT_PROD}/externals"
   AT_LIB="${AT_PROD}/lib"
   AT_MAIN="com.attunity.infrastructure.server.PluginServer"
   
   if [ -z "$AT_DATA" ]; then
       AT_DATA="${AT_PROD}/data"
   fi
   
   AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"
   
   #                         <----------- Fix Here --------->
   "${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"
   
   

3. Save the file.
4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
   

   $ cd <installation-root>/replicate/endpoint_srv/externals
   
   $ mv log4j-core-<version#>.jar  ../log4j-core-<version#>.jar-vulnerable

5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
6. Restart the Replicate service with the command:
   
   

   # service areplicate restart

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

Mitigation - Client Samples in Java

The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.