CVE-2021-44832 : Handling the log4shell vulnerability for Visibility 7.3.0.4

john_wang · Jan 6, 2022 9:11:34 AM

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Environment:

Qlik Visibility 7.3.0.4

Mitigation - Visibility 7.3

Download log4j 2.3.2 and extract it to temporary folder "PATH_TO_LOG4J_2_3_2"
cd $VISIBILITY_HOME/java/lib/default
rm log4j-1.2-api-2.3.jar log4j-api-2.3.jar log4j-core-2.3.jar
(it's better to move the jars to a backup folder rather than remove them)

Copy the jars from the temporary folder

cp ~/PATH_TO_LOG4J_2_3_2/log4j-api-2.3.2.jar .
cp ~/PATH_TO_LOG4J_2_3_2/log4j-core-2.3.2.jar .
cp ~/PATH_TO_LOG4J_2_3_2/log4j-1.2-api-2.3.2.jar .

Restart Visibility hdpcollector and hdpcataloger components

No other components are affected.

Qlik Visibility

Vikki · ‎2022-05-05

Qlik Visibility - CVE-2021-44228: Visibility-Client.jar file vulnerability

Looking for guidance on Security vulnerability noted:

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following paths are showing in our Security scan results:
Path:/opt/attunity/visibility/product/v7/java/lib/MapR/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1
Path:/opt/attunity/visibility/product/v7/java/lib/CDH_5.10/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1

Please advise on guidance.

Regards,

Vikki Turner

Vikki · ‎2022-05-05

Qlik Visibility - Spring Framework vulnerability CVE-2022-22965

Looking for guidance on Attunity Visibility software v7.3 impact for Spring Framework vulnerability CVE-2022-22965. PNC Security has requested remediation as per below:

Spring Framework contains a flaw in the CachedIntrospectionResults class in spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java related to insecure introspection when using request parameter binding. This may allow a remote attacker to invoke arbitrary Java class methods and execute arbitrary code.

I've found the reference in your support documentation for the subject CVE vulnerability but there is no mention of Qlik Visibility software. Would appreciate some help.

Using:

Operating System: Linux
Operating System Version: RHEL 7.9
Product Release: V7.3
Environment Type: Production

Thank you,
Vikki Turner

SwathiPulagam · ‎2022-05-10

Hi @Vikki ,

Visibility is a retired product and is no longer supported

https://community.qlik.com/t5/Support-Updates-Blog/Retirement-of-legacy-Attunity-products-on-January...

Thanks,

Swathi

CVE-2021-44832 : Handling the log4shell vulnerability for Visibility 7.3.0.4