Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Jan 25, 2022 7:47:50 AM
Dec 13, 2021 3:25:57 PM
Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.
Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell) for your release and the relevant patch.
Upgrade at the earliest.
@echo off
REM attunity endpoints server configuration/run script
FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA
REM list plugins here
SET AT_PLUGIN_LIST=-plugins rependsrv
REM set data directory based on the name of this script
SET AT_DATA_SUFFIX=
FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A
IF "%AT_DATA_SUFFIX%" == "" (
SET AT_DATA=
) ELSE (
SET AT_DATA=-d data_%AT_DATA_SUFFIX%
)
IF EXIST "%AT_PROD%\jvm" (
SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
) ELSE IF EXIST "%AT_PROD%\..\jvm" (
SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
) ELSE IF "%JAVA_HOME%" == "" (
ECHO ERROR: JAVA Cannot be found
EXIT /b -1
) ELSE (
SET AT_JAVA=%JAVA_HOME%\bin\java.exe
)
SET AT_EXTERNAL=%AT_PROD%\externals
SET AT_LIB=%AT_PROD%\lib
SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
REM <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
$ cd <installation-root>\Replicate\endpoint_srv\externals\
$ ren log4j-core-<version#>.jar ..\log4j-core-<version#>.jar-vulnerable
log4j-core-nolookup-<version#>.jar
from this page and place it in the same location as the vulnerable jar.$ sc stop AttunityReplicateServer
$ sc start AttunityReplicateServer
Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.
#!/bin/bash
# attunity endpoints server configuration/run script
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
AT_PROD="${DIR}/.."
AT_PLUGIN_LIST="rependsrv"
if [ -d "${AT_PROD}/jvm" ]; then
AT_JAVA="${AT_PROD}/jvm/bin/java"
elif [ -d "${AT_PROD}/../jvm" ]; then
AT_JAVA="${AT_PROD}/../jvm/bin/java"
elif [ -z "$JAVA_HOME" ]; then
echo "ERROR: JAVA Cannot be found"
exit -1
else
AT_JAVA="${JAVA_HOME}/bin/java"
fi
AT_EXTERNAL="${AT_PROD}/externals"
AT_LIB="${AT_PROD}/lib"
AT_MAIN="com.attunity.infrastructure.server.PluginServer"
if [ -z "$AT_DATA" ]; then
AT_DATA="${AT_PROD}/data"
fi
AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"
# <----------- Fix Here --------->
"${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"
$ cd <installation-root>/replicate/endpoint_srv/externals
$ mv log4j-core-<version#>.jar ../log4j-core-<version#>.jar-vulnerable
log4j-core-nolookup-<version#>.jar
from this page and place it in the same location as the vulnerable jar.# service areplicate restart
Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.
The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.
For more information on the Log4j vulnerability, please visit the Support Updates Blog post.
Hello @KattiyaFD ,
Thanks for your update. Feel free to let us know if you need help.
Regards,
John.
For Qlik Rreplicate 7.0 permanent fix in build 7.0.0.1221 (SR05) do we need to revoke the change in the configuration file for this parameter? We plan to manually start the Qlik Replicate service after we upgrade current version Ex: 7.0.0.0 (initial version)
-Dlog4j2.formatMsgNoLookups=true
Thanks
Hengjun
Hello @liuhengjun ,
Reg:
For Qlik Rreplicate 7.0 permanent fix in build 7.0.0.1221 (SR05) do we need to revoke the change in the configuration file for this parameter? We plan to manually start the Qlik Replicate service after we upgrade current version Ex: 7.0.0.0 (initial version)
-Dlog4j2.formatMsgNoLookups=true
I'm assuming you ever did the mitigation steps include:
1- Edited the file "rependctl.bat" or "rependctl.sh"
2- Renamed the jar file to "log4j-core-nolookup-<version#>.jar"
During the 7.0 SR5 upgrade installation, the file in above step (1-) will be replaced. You need not care about it.
However the jar file "log4j-core-nolookup-<version#>.jar" will not be deleted by the installation program (cannot be found) unless you rename it back to its original name "log4j-core-<version#>.jar" BEFORE the upgrade installing.
I'm not sure what you did in above step 2 so after the upgrade installation done, please confirm only "log4j-core-2.16.0.jar" and "log4j-api-2.16.0.jar" exist under the external folder. if there are other versions "log4j-core" or "log4j-api" jars please delete them and RESTART Replicate services.
Let me know if you need any additional assistance.
Regards,
John.
Hi,
We are using Qlik replicate 7.0.0.652 version and we have done the Mitigation steps provided here for handling the log4j lookups critical vulnerability long time back and waiting for the patch release from Qlik as they mentioned in this post.
Can someone please confirm if there is any patch got released for Qlik and also is it really necessary to install the patch even after doing the mitigation steps. If yes, can you route me.
Thanks.
Hello @venkata-phanindra ,
Regarding your doubt:
We are using Qlik replicate 7.0.0.652 version and we have done the Mitigation steps provided here for handling the log4j lookups critical vulnerability long time back and waiting for the patch release from Qlik as they mentioned in this post.
Can someone please confirm if there is any patch got released for Qlik and also is it really necessary to install the patch even after doing the mitigation steps. If yes, can you route me.
1. You may update Qlik Replicate 7.0.0.652 to the latest build 7.0.0.1221 (SR5). The download link and relevant description about the patch information can be found in page Vulnerability Testing - Apache Log4j .
2. Before you perform the upgrade, please Renaming the jar files (log4j-core-nolookup-2.14.1.jar/log4j-api-nolookup-2.14.1.jar) to their original file name (log4j-core-2.14.1.jar/log4j-api-2.14.1.jar) .
3. Perform upgrade installation of Qlik Replicate
4. Replicate 7.0.0.1221 contains Apache log4j fix 2.16.0. You may manually upgrade log4j 2.16.0 to 2.17.1 if needed. The steps can be found in page Update to log4j 2.17.1 for Qlik Replicate .
Hope this helps.
Regards,
John.