Skip to main content
Announcements
Qlik Connect 2025: 3 days of full immersion in data, analytics, and AI. May 13-15 | Orlando, FL: Learn More

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sebastian_Linser

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik GeoAnalytics

Last Update:

Jan 27, 2022 4:13:15 AM

Updated By:

Sebastian_Linser

Created date:

Dec 13, 2021 3:33:26 PM

Qlik GeoAnalytics Server and the Qlik GeoAnalytics Connector in combination with GeoAnalytics Plus are both affected by the log4j vulnerability.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release of Qlik GeoAnalytics and the relevant patch.

Upgrade at the earliest.

 

Mitigation steps are provided below should not upgrade be possible at this time. 

The Standard GeoAnalytics Connector for Qlikview and QlikSense (bundled) without GeoAnalytics Plus are not affected by it, they don't use Java.

 

Environment:

 

 

Resolution for GeoAnalytics Server:

 

  1. Start the Configure Service application from the start menu.

    Sebastian_Linser_1-1639404259009.png

  2. Set the Java options ‐Dlog4j2.formatMsgNoLookups=true inside the Service Properties under the Java tab.

    Sebastian_Linser_0-1639404031447.png
  3. Restart all GeoAnalytics Services.

 

Resolution for GeoAnalytics Plus Connector:

 

  1. Open C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\IdevioGeoAnalyticsConnector.exe.config

  2. Locate the following line (located in appSettings)

    <add key="javaArgs" value=""/>
  3. Change the line to:

    <add key="javaArgs" value="-Dlog4j2.formatMsgNoLookups=true"/>

 

This applies only to GeoAnalytics Plus Connector Version May 2021 and higher.

 

Versions prior to February 2020 uses Log4j v1, which is not vulnerable to this exploit. To prevent any other possible vulnerabilities, we recommend upgrading to a newer version (higher than May 2021) of GeoAnalytics Plus and then applying the mitigation.

Alternatively, you can manually replace the Log4j library files with newer versions:

  1. Download the binaries of the latest release of Log4j2 (2.17.1 as of this  moment):  https://logging.apache.org/log4j/2.x/download.html 
  2. Extract the files 
  3. Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
  4. For all JAR files starting with "lib4j-"
    1. Copy the corresponding 2.17.1 JAR file to the lib folder
    2. Delete the old version of that JAR

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

 

As a short update we released:

 

  • GeoAnalytics Server - 4.32.5 - (November 2021 SR3) - 2.17.1
  • GeoAnalytics Server - 4.19.2 - 4.27.4 (February 2020 SR2 - May 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.31.3 ( November 2021 SR3) - 2.17.1
  • GeoAnalytics Plus - 5.29.5-5.30.2 (May 2021 SR3 - August 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.27.6-5.28.3 (November 2020 SR2-February 2021 SR2) - 2.17.1
  • GeoAnalytics Plus - 5.26.6 (September 2020 SR3) - 2.17.1

 

  • GeoAnalytics Server - 4.32.4 - (November 2021 SR2) - 2.17.0
  • GeoAnalytics Server - 4.32.3 - (November 2021 SR1) - 2.16.0
  • GeoAnalytics Server - 4.19.1 - 4.27.3(February 2020 SR1 - May 2021 SR1) - 2.16.0

 

  • GeoAnalytics Plus - 5.31.2 ( November 2021 SR2) - 2.17.0
  • GeoAnalytics Plus - 5.31.1 ( November 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.29.4-5.30.1 (May 2021 SR2 - August 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.27.5-5.28.2 (November 2020 SR1-February 2021 SR1) - 2.16.0
  • GeoAnalytics Plus - 5.26.5 (September 2020 SR2) - 2.16.0
  •  
Comments
hermandup_anz
Contributor III
Contributor III

Does either or both of these fixes require outage at any point, i.e. service restarts?

aadil_madarveet
Partner - Creator II
Partner - Creator II

We are running Geo Analytics Server November 2018. 

Does this change apply. Any info on whats supported and whats not?

Thanks,

Aadil

JohannaR
Contributor II
Contributor II

Can we still expect a patch?

KallePersson
Employee
Employee

@hermandup_anz:
The GA Server fix requires a restart of its service in order to apply.
The GA Plus fix similarly requires a restart if it is running. It will keep running in the background for a while after being used so you can open the process explorer and look for a matching Java process and kill that.

@aadil_madarveet:
GA Server Nov 2018 doesn't use Log4j 2 (we switched to ), it is using Log4j 1 so it is not vulnerable to this specific bug.
It is however quite outdated and might have other vulnerabilities in its dependencies so I would really recommend updating anyway.

@JohannaR:
We will focus on getting patches out for the latest versions first, and then go backwards (mainly since the earlier versions will need a bunch of build related changes backported which will require some work).
The first patches should be out by tomorrow at least.

jfkinspari
Partner - Specialist
Partner - Specialist

@KallePersson 

Do you know from which version of GeoAnalytics the switch to Log4j 2 was made?

KallePersson
Employee
Employee

@jfkinspariwe switched to Log4j2 in the February 2020 release of both GeoAnalytics Server and GeoAnalytics Plus.
I see that I forgot to add that to the post above.

janyf
Partner - Contributor III
Partner - Contributor III

Hello 

If there is no 

<add key="javaArgs" value=""/>

line in config file , it need to be added ? If yes to which section ? 

Sebastian_Linser

@janyf which version are you using? it would come in the appsettings section between <appsettings> and </appsettings>

 

KallePersson
Employee
Employee

@janyf:
The option only works on GeoAnalytics Plus from the May 2021 version and onwards. I will ask the support team to update the page.

The recommended solution would be to upgrade to a newer version of GeoAnalytics Plus and then apply the mitigation.
You could also manually replace the Log4j library files with newer versions:

  1. Download the binaries of the latest release of Log4j2 (2.16 as of this  moment):  https://logging.apache.org/log4j/2.x/download.html and extract somewhere
  2. Go to C:\Program Files\Common Files\Qlik\Custom Data\QvIdevioConnector\lib
  3. For all JAR files starting with "lib4j-"
    1. Copy the corresponding 2.16 JAR file to the lib folder
    2. Delete the old version of that JAR
janyf
Partner - Contributor III
Partner - Contributor III

@KallePersson it is slightly confusing 

This is library 

janyf_0-1639483176129.png

but this is version when i run the connector : 

janyf_1-1639483224396.png

so it is possible we are not affected somehow (as there is still old lib) 

brgds 

Version history
Last update:
‎2022-01-27 04:13 AM
Updated by: