Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Now Live: Qlik Sense SaaS Simplified Authoring – Analytics Creation for Everyone: READ DETAILS

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

cancel
Showing results for 
Search instead for 
Did you mean: 
Sebastian_Linser

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Qlik GeoAnalytics Server and the Qlik GeoAnalytics Connector in combination with GeoAnalytics Plus are both affected by the log4j vulnerability.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release of Qlik GeoAnalytics and the relevant patch.

Upgrade at the earliest.

 

Mitigation steps are provided below should not upgrade be possible at this time. 

The Standard GeoAnalytics Connector for Qlikview and QlikSense (bundled) without GeoAnalytics Plus are not affected by it, they don't use Java.

 

Environment:

 

 

Resolution for GeoAnalytics Server:

 

  1. Start the Configure Service application from the start menu.

    Sebastian_Linser_1-1639404259009.png

  2. Set the Java options ‐Dlog4j2.formatMsgNoLookups=true inside the Service Properties under the Java tab.

    Sebastian_Linser_0-1639404031447.png
  3. Restart all GeoAnalytics Services.

 

Resolution for GeoAnalytics Plus Connector:

 

  1. Open C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\IdevioGeoAnalyticsConnector.exe.config

  2. Locate the following line (located in appSettings)

    <add key="javaArgs" value=""/>
  3. Change the line to:

    <add key="javaArgs" value="-Dlog4j2.formatMsgNoLookups=true"/>

 

This applies only to GeoAnalytics Plus Connector Version May 2021 and higher.

 

Versions prior to February 2020 uses Log4j v1, which is not vulnerable to this exploit. To prevent any other possible vulnerabilities, we recommend upgrading to a newer version (higher than May 2021) of GeoAnalytics Plus and then applying the mitigation.

Alternatively, you can manually replace the Log4j library files with newer versions:

  1. Download the binaries of the latest release of Log4j2 (2.17.1 as of this  moment):  https://logging.apache.org/log4j/2.x/download.html 
  2. Extract the files 
  3. Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
  4. For all JAR files starting with "lib4j-"
    1. Copy the corresponding 2.17.1 JAR file to the lib folder
    2. Delete the old version of that JAR

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

 

As a short update we released:

 

  • GeoAnalytics Server - 4.32.5 - (November 2021 SR3) - 2.17.1
  • GeoAnalytics Server - 4.19.2 - 4.27.4 (February 2020 SR2 - May 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.31.3 ( November 2021 SR3) - 2.17.1
  • GeoAnalytics Plus - 5.29.5-5.30.2 (May 2021 SR3 - August 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.27.6-5.28.3 (November 2020 SR2-February 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.26.6 (September 2020 SR3) - 2.17.1

 

  • GeoAnalytics Server - 4.32.4 - (November 2021 SR2) - 2.17.0
  • GeoAnalytics Server - 4.32.3 - (November 2021 SR1) - 2.16.0
  • GeoAnalytics Server - 4.19.1 - 4.27.3(February 2020 SR1 - May 2021 SR1) - 2.16.0

 

  • GeoAnalytics Plus - 5.31.2 ( November 2021 SR2) - 2.17.0
  • GeoAnalytics Plus - 5.31.1 ( November 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.29.4-5.30.1 (May 2021 SR2 - August 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.27.5-5.28.2 (November 2020 SR1-February 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.26.5 (September 2020 SR2) - 2.16.0
  •  
Comments
Vicky_Z
Support
Support

@ker  could you please help to confirm this:

The patch on Download site is for GA Nov 21 release. For the earlier version, for example, Nov 20, the users will need to use this article to manually replace the library file?

Is it right? Thank you 

 

ker
Employee
Employee

@Vicky_Z:

The recommended solution would be to just upgrade to GA Server / Plus Nov 2021 Patch 1, but if that is not an option for them then they should apply the mitigations above until the relevant patch appears on the download site.

marthafong
Partner - Contributor
Partner - Contributor

I saw may21 patch1 available in the download site. If we have add the flag for Qlik GeoAnalytics service properties.  Do we still need to apply the may21 patch1? 

Thanks

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @marthafong 

We recommend an upgrade. The manual mitigation is just that, a mitigation, and the upgrade is intended to be the permanent fix. 

Patric_Nordstrom
Employee
Employee

Fyi, There is a SR3 of November 2021 of GeoAnalytics Server and Plus with log4J-2.17.1 as of Jan 26th.

senior_v
Contributor
Contributor
Thanks for the update!
Version history
Last update:
‎2022-01-27 04:13 AM
Updated by: