Skip to main content
Announcements
Qlik Connect 2025! Join us in Orlando join us for 3 days of immersive learning: REGISTER TODAY

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Compose

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Jamie_Gregory
Community Manager

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Compose

Last Update:

Jan 25, 2022 7:47:25 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 13, 2021 3:35:30 PM

Attachments

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

 

Environment:

  • Qlik Compose

 

Mitigation steps to follow Compose log4j vulnerability:

 

Mitigation - Windows Service

 

  1. Edit the file <installation-root>\Compose\java\bin\acjs.bat (<installation-root> typically refers to C:\Program Files\Qlik)
  2. Add the command set LOG4J_FORMAT_MSG_NO_LOOKUPS=TRUE  in the location shown below (script line before last):

    REM Attunity Compose Java Server configuration/run script
    REM e.g. AT_PROD = C:\Program Files\Attunity\Compose\java_server
    for %%A in ("%~dp0..") do set AT_PROD=%%~fA
    REM list plugins here
    SET AT_PLUGIN_LIST=-plugins compose_ctl
    REM set data directory based on the name of this script
    set AT_DATA_SUFFIX=
    for /F "tokens=2 delims=_" %%A in ("%~n0") do set AT_DATA_SUFFIX=%%A
    if "%AT_DATA_SUFFIX%" == "" (
            set AT_DATA=
    ) else (
            set AT_DATA=-d data_%AT_DATA_SUFFIX%
    )
    if "%COMPOSE_JAVA_SERVER_DEBUG%" == "true" (
            set  JVM_REMOTE_DEBUG_ARGUMENTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=127.0.0.1:5005
    )else (
            set JVM_REMOTE_DEBUG_ARGUMENTS=
    )
    SET AT_JAVA=%AT_PROD%\lib\jre\bin\java.exe
    SET AT_EXTERNAL=%AT_PROD%\external
    SET AT_LIB=%AT_PROD%\lib
    SET AT_PLUGINS=%AT_PROD%\plugins
    SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
    SET AT_EXTERNAL_JDBC_PATH=%AT_PROD%\jdbc
    SET AT_APP_NAME=-DQlikApp=ComposeJavaServer

    <--------------------- Fix Here--------------------->
    SET LOG4J_FORMAT_MSG_NO_LOOKUPS=TRUE
    "%AT_JAVA%" %AT_APP_NAME% %JVM_REMOTE_DEBUG_ARGUMENTS% -cp "%AT_EXTERNAL_JDBC_PATH%"/*;"%AT_PLUGINS%"/*;"%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable. 
    $ cd <installation-root>\Compose\java\external
    
    $ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable​
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Compose Windows service.

    $ sc stop QlikCompose

    $ sc start QlikCompose

Note that if you have a customized Compose start script, you should perform the equivalent edit on your modified start script.

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.