CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Enterprise Manager

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

Environment:

• Qlik Enterprise Manager 

Mitigation steps to follow Enterprise Manager log4j vulnerability:

1. Stop the Enterprise Manager service. 
2. Edit the file <installation-root>\Enterprise Manager\java\bin\atajs.bat (<installation-root> typically refers to "C:\Program Files\Attunity")
3.  Add the string ‐Dlog4j2.formatMsgNoLookups=true in the location shown below (last line of script):
   
   

   @Echo off
   REM attunity trend analysis java server configuration/run script
   
   REM e.g. AT_PROD = C:\Program Files\Attunity\Enterprise Manager\java_server
   for %%A in ("%~dp0..") do set AT_PROD=%%~fA
   
   REM list plugins here
   SET AT_PLUGIN_LIST=-plugins analytics_ctl
   
   REM set data directory based on the name of this script
   set AT_DATA_SUFFIX=
   for /F "tokens=2 delims=_" %%A in ("%~n0") do set AT_DATA_SUFFIX=%%A
   
   if "%AT_DATA_SUFFIX%" == "" (
       set AT_DATA=
   ) else (
       set AT_DATA=-d data_%AT_DATA_SUFFIX%
   )
   
   SET AT_ANALYTICS=%AT_PROD%\lib\jvm\bin\aemanalytics.exe
   SET AT_EXTERNAL=%AT_PROD%\external
   SET AT_LIB=%AT_PROD%\lib
   SET AT_INFRA_JAR=%AT_LIB%\attunity.infrastructure.jar
   SET AT_PLUGINS=%AT_PROD%\plugins
   SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
   
   REM                                                           <-------------- Fix Here ------------>
   "%AT_ANALYTICS%" %JAVA_LIB_PATH%  ‐Dlog4j2.formatMsgNoLookups=true -cp "%AT_INFRA_JAR%";"%AT_PLUGINS%"/*;"%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*

4.  Save the file.
5. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ../log4j-core-<version#>.jar-vulnerable.
   

   $ cd <installation-root>\Enterprise Manager\java\external
   
   $ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable

6. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
7. Restart the Enterprise Manager Windows service.
   
   

   $ sc stop AttunityEnterpriseManager
   
   $ sc start AttunityEnterpriseManager

Note that if you have a customized Enterprise Manager start script, you should perform the equivalent edit on your modified start script.

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.