Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Jamie_Gregory
Community Manager
Community Manager

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Last Update:

Jan 25, 2022 7:47:50 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 13, 2021 3:25:57 PM

Attachments

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

 

Environment:

 

 

Mitigation steps to follow Replicate log4j vulnerability:

 

Mitigation - Endpoint Server - Windows

 

  1. Edit the file <installation-root>\Replicate\endpoint_srv\bin\rependctl.bat 

    (<installation-root> typically refers to C:\Program Files\Attunity)

  2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

    @echo off
    REM attunity endpoints server configuration/run script

    FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA

    REM list plugins here
    SET AT_PLUGIN_LIST=-plugins rependsrv

    REM set data directory based on the name of this script
    SET AT_DATA_SUFFIX=
    FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A

    IF "%AT_DATA_SUFFIX%" == "" (
        SET AT_DATA=
    ) ELSE (
        SET AT_DATA=-d data_%AT_DATA_SUFFIX%
    )

    IF EXIST "%AT_PROD%\jvm" (
        SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
    ) ELSE IF EXIST "%AT_PROD%\..\jvm" (
        SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
    ) ELSE IF "%JAVA_HOME%" == "" (
        ECHO ERROR: JAVA Cannot be found
        EXIT /b -1
    ) ELSE (
        SET AT_JAVA=%JAVA_HOME%\bin\java.exe
    )

    SET AT_EXTERNAL=%AT_PROD%\externals
    SET AT_LIB=%AT_PROD%\lib
    SET AT_MAIN=com.attunity.infrastructure.server.PluginServer

    REM                                         <--------------- Fix Here ------------→
    "%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
    $ cd <installation-root>\Replicate\endpoint_srv\externals\
    
    $ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Replicate Windows service with the command:

    $ sc stop AttunityReplicateServer

    $ sc start AttunityReplicateServer

 

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

 

Mitigation - Endpoint Server - Linux

 

  1. Edit the file <installation-root>/replicate/endpoint_srv/bin/rependctl.sh (<installation-root> typically refers to /opt/attunity)
  2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

    #!/bin/bash

    # attunity endpoints server configuration/run script

    DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

    AT_PROD="${DIR}/.."

    AT_PLUGIN_LIST="rependsrv"

    if [ -d "${AT_PROD}/jvm" ]; then
        AT_JAVA="${AT_PROD}/jvm/bin/java"
    elif [ -d "${AT_PROD}/../jvm" ]; then
        AT_JAVA="${AT_PROD}/../jvm/bin/java"
    elif [ -z "$JAVA_HOME" ]; then
        echo "ERROR: JAVA Cannot be found"
        exit -1
    else
        AT_JAVA="${JAVA_HOME}/bin/java"
    fi

    AT_EXTERNAL="${AT_PROD}/externals"
    AT_LIB="${AT_PROD}/lib"
    AT_MAIN="com.attunity.infrastructure.server.PluginServer"

    if [ -z "$AT_DATA" ]; then
        AT_DATA="${AT_PROD}/data"
    fi

    AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"

    #                         <----------- Fix Here --------->
    "${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"

  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
    $ cd <installation-root>/replicate/endpoint_srv/externals
    
    $ mv log4j-core-<version#>.jar  ../log4j-core-<version#>.jar-vulnerable
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Replicate service with the command:

    # service areplicate restart

 

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

 

Mitigation - Client Samples in Java

 

The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

Comments
fabrice_lawson
Former Employee
Former Employee

Thanks for the feedback. The documentation is updated with the correct character 

-Dlog4j2.formatMsgNoLookups=true
Antony_05
Contributor III
Contributor III

Hi,

 

But I think the FIX that is mentioned in the (Mitigation-Endpoint Server-Linux) is in Windows format,

# <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*

Can you please provide this above mentioned Fix in Linux format.?

 

Thanks,

Antony S

Tarmo
Contributor
Contributor

Hi

1. Would removing the JdniLookup.class file be a good fix for this?

find ./ -type f -name "log4j-core-*.jar" -exec zip -q -d "{}" org/apache/logging/log4j/core/lookup/JndiLookup.class \;

 2. Or adding this ENV variable LOG4J_FORMAT_MSG_NO_LOOKUPS=true to /etc/environment ? 

fabrice_lawson
Former Employee
Former Employee

We have updated the fix!

"%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*

it is related the sign prior to "-Dlog4j2.formatMsgNoLookups=true"

venkata-phanindra
Contributor II
Contributor II

Hi,

We followed the mitigation steps and implemented the change but after that we are noticed the archival redo logs speed per hour got reduced. Previously, before implementing the change we used to have archival redo logs speed per hour as 140 but after implementing the mitigation changes the speed is now 30.

 

Can we know is this because of the mitigation steps? And anyone else has faced the same issue and it would be helpful if someone can provide the solution.

 

Thanks

john_wang
Support
Support

Hello @Antony_05 , copy @fabrice_lawson , @Jamie_Gregory ,

The Linux fix contains another problem still. It contains a line of "Windows Replicate" script. I'm pasting a complete Linux 'updated' script of "/opt/attunity/replicate/endpoint_srv/bin/rependctl.sh". it's for Replicate Nov 2020 (formerly version 7.0):

#!/bin/bash

# attunity endpoints server configuration/run script

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

AT_PROD="${DIR}/.."

AT_PLUGIN_LIST="rependsrv"

if [ -d "${AT_PROD}/jvm" ]; then
AT_JAVA="${AT_PROD}/jvm/bin/java"
elif [ -d "${AT_PROD}/../jvm" ]; then
AT_JAVA="${AT_PROD}/../jvm/bin/java"
elif [ -z "$JAVA_HOME" ]; then
echo "ERROR: JAVA Cannot be found"
exit -1
else
AT_JAVA="${JAVA_HOME}/bin/java"
fi

AT_EXTERNAL="${AT_PROD}/externals"
AT_LIB="${AT_PROD}/lib"
AT_MAIN="com.attunity.infrastructure.server.PluginServer"

if [ -z "$AT_DATA" ]; then
AT_DATA="${AT_PROD}/data"
fi

AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"

# "${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"
"${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"

 

Hope this helps.

Regards,

John.

john_wang
Support
Support

Hello @Tarmo ,

See my comment in another article, page #15:

https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-...

I described the "zip" command and my steps. Hope it helps.

Regards,

John.

bryce_leinan
Contributor III
Contributor III

Something I would highly recommend when you are doing this on a Windows box is to use Notepad++ and make sure you show all characters (View > Show Symbol > All Characters) - that's what I did the other day when I did the copy and paste and saw the weird dash instead of the hyphen (before it took off in this post.) 

IvanSmith
Contributor
Contributor

Hello,

It may be prudent to update the mitigation steps for Qlik as Apache and CVE-2021-45046 mention setting the formatMsgNoLookups=true flag to mitigate the threat is no longer valid:

https://logging.apache.org/log4j/2.x/security.html

 

The notable line is:


"Other insufficient mitigation measures are: setting system property log4j2.formatMsgNoLookups or environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true for releases >= 2.10"

 

I have applied the command:

find / -name "log4j-core-*" -exec sudo zip -q -d "{}" org/apache/logging/log4j/core/lookup/JndiLookup.class  \;


With success for both Qlik Enterprise Manager (current version 2021.5.0.313) and Qlik Replicate (version 2021.5.0.863, without endpoint server enabled). Apache has handlers for exclusion of the JNDILookup.class which mitigate any exceptions caused by this operation.

If anyone from Qlik could validate that the current application does not leverage the JNDILookup.class in any other operation, it would be appreciated.

No replicate issues or abnormal behaviour noted to date in any environment. I hope this helps someone else.

Regards,

Ivan

RAFFYUY27
Contributor
Contributor

There are several files in the log4j_files_to_address_vulnerabilities.zip.

Are we expected to only use log4j-core*.jar?

What do we do with log4j-api*jar from the zip file?

Version history
Last update:
‎2022-01-25 07:47 AM
Updated by: