Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2025! Join us in Orlando join us for 3 days of immersive learning: REGISTER TODAY

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Compose

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Jamie_Gregory
Community Manager
Community Manager

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Compose

Last Update:

Jan 25, 2022 7:47:25 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 13, 2021 3:35:30 PM

Attachments
log4j_files_to_address_vulnerabilities.zip

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

 

Environment:

  • Qlik Compose

 

Mitigation steps to follow Compose log4j vulnerability:

 

Mitigation - Windows Service

 

  1. Edit the file <installation-root>\Compose\java\bin\acjs.bat (<installation-root> typically refers to C:\Program Files\Qlik)
  2. Add the command set LOG4J_FORMAT_MSG_NO_LOOKUPS=TRUE  in the location shown below (script line before last):

    REM Attunity Compose Java Server configuration/run script
    REM e.g. AT_PROD = C:\Program Files\Attunity\Compose\java_server
    for %%A in ("%~dp0..") do set AT_PROD=%%~fA
    REM list plugins here
    SET AT_PLUGIN_LIST=-plugins compose_ctl
    REM set data directory based on the name of this script
    set AT_DATA_SUFFIX=
    for /F "tokens=2 delims=_" %%A in ("%~n0") do set AT_DATA_SUFFIX=%%A
    if "%AT_DATA_SUFFIX%" == "" (
            set AT_DATA=
    ) else (
            set AT_DATA=-d data_%AT_DATA_SUFFIX%
    )
    if "%COMPOSE_JAVA_SERVER_DEBUG%" == "true" (
            set  JVM_REMOTE_DEBUG_ARGUMENTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=127.0.0.1:5005
    )else (
            set JVM_REMOTE_DEBUG_ARGUMENTS=
    )
    SET AT_JAVA=%AT_PROD%\lib\jre\bin\java.exe
    SET AT_EXTERNAL=%AT_PROD%\external
    SET AT_LIB=%AT_PROD%\lib
    SET AT_PLUGINS=%AT_PROD%\plugins
    SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
    SET AT_EXTERNAL_JDBC_PATH=%AT_PROD%\jdbc
    SET AT_APP_NAME=-DQlikApp=ComposeJavaServer

    <--------------------- Fix Here--------------------->
    SET LOG4J_FORMAT_MSG_NO_LOOKUPS=TRUE
    "%AT_JAVA%" %AT_APP_NAME% %JVM_REMOTE_DEBUG_ARGUMENTS% -cp "%AT_EXTERNAL_JDBC_PATH%"/*;"%AT_PLUGINS%"/*;"%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable. 
    $ cd <installation-root>\Compose\java\external

$ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable​
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Compose Windows service.

    $ sc stop QlikCompose

    $ sc start QlikCompose

Note that if you have a customized Compose start script, you should perform the equivalent edit on your modified start script.

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

 

2,316 Views
Was this article helpful? Yes No
Version history
Last update:
‎2022-01-25 07:47 AM
Updated by:
Digital Support