Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Jan 25, 2022 7:47:50 AM
Dec 13, 2021 3:25:57 PM
Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.
Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell) for your release and the relevant patch.
Upgrade at the earliest.
@echo off
REM attunity endpoints server configuration/run script
FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA
REM list plugins here
SET AT_PLUGIN_LIST=-plugins rependsrv
REM set data directory based on the name of this script
SET AT_DATA_SUFFIX=
FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A
IF "%AT_DATA_SUFFIX%" == "" (
SET AT_DATA=
) ELSE (
SET AT_DATA=-d data_%AT_DATA_SUFFIX%
)
IF EXIST "%AT_PROD%\jvm" (
SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
) ELSE IF EXIST "%AT_PROD%\..\jvm" (
SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
) ELSE IF "%JAVA_HOME%" == "" (
ECHO ERROR: JAVA Cannot be found
EXIT /b -1
) ELSE (
SET AT_JAVA=%JAVA_HOME%\bin\java.exe
)
SET AT_EXTERNAL=%AT_PROD%\externals
SET AT_LIB=%AT_PROD%\lib
SET AT_MAIN=com.attunity.infrastructure.server.PluginServer
REM <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
$ cd <installation-root>\Replicate\endpoint_srv\externals\
$ ren log4j-core-<version#>.jar ..\log4j-core-<version#>.jar-vulnerable
log4j-core-nolookup-<version#>.jar
from this page and place it in the same location as the vulnerable jar.$ sc stop AttunityReplicateServer
$ sc start AttunityReplicateServer
Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.
#!/bin/bash
# attunity endpoints server configuration/run script
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
AT_PROD="${DIR}/.."
AT_PLUGIN_LIST="rependsrv"
if [ -d "${AT_PROD}/jvm" ]; then
AT_JAVA="${AT_PROD}/jvm/bin/java"
elif [ -d "${AT_PROD}/../jvm" ]; then
AT_JAVA="${AT_PROD}/../jvm/bin/java"
elif [ -z "$JAVA_HOME" ]; then
echo "ERROR: JAVA Cannot be found"
exit -1
else
AT_JAVA="${JAVA_HOME}/bin/java"
fi
AT_EXTERNAL="${AT_PROD}/externals"
AT_LIB="${AT_PROD}/lib"
AT_MAIN="com.attunity.infrastructure.server.PluginServer"
if [ -z "$AT_DATA" ]; then
AT_DATA="${AT_PROD}/data"
fi
AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"
# <----------- Fix Here --------->
"${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"
$ cd <installation-root>/replicate/endpoint_srv/externals
$ mv log4j-core-<version#>.jar ../log4j-core-<version#>.jar-vulnerable
log4j-core-nolookup-<version#>.jar
from this page and place it in the same location as the vulnerable jar.# service areplicate restart
Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.
The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.
For more information on the Log4j vulnerability, please visit the Support Updates Blog post.
There are new updates on this issue stating
"LOG4J_FORMAT_MSG_NO_LOOKUPS=true as a mitigation for CVE-2021-44228: While this does help, an app *MAY* still be vulnerable, depending on how it uses log4j."
Can Qlik confirm if that's the case with Replicate V7 and if they're planning to release the patch or another temp fix to resolve this completely?
References:
https://twitter.com/wdormann/status/1470804255552557064
“Note that previous mitigations involving configuration such as to set the system property `log4j2.noFormatMsgLookup` to `true` do NOT mitigate this specific vulnerability.”
- from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
Hi,
Is there any more update to the new information where the proposed action is not mitigating the vulnerability? @Jamie_Gregory
In the mean time another Log4j vulnerability is discovered: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046.
How is this going to be addressed?
The latest from Apache that one of the previous mitigation steps (setting of JVM parameter "‐Dlog4j2.formatMsgNoLookups=True”) is now discredited. https://logging.apache.org/log4j/2.x/security.html.
Please provide update on how this affect you mitigation steps.
Thanks,
Marcin
Is there an estimate as to when a patch will be released? Our Enterprise IT is asking for an update.
Also, I have been bumbling my way through the support site... where do I find the latest version of Replicate? We're on November 2020 (7.0.0.267), and I would like to get us to a newer version.
Thanks!
John_wang, I can confirm your post about the leading dash character in Linux (specifically CentOS 7). In vim, that is not the hyphen character for sure.
Alex
Hello @bryce_leinan ,
You can access Qlik Download site directly Software Download | Qlik.com,
and there is final patch delivery plan:
Hope this helps.
Regards,
John.
Thanks @john_wang - unfortunately, the only thing I see is Qlik View... this was supposed to get fixed a year ago on my account, but it never was. I'll put in another ticket.
Hi @john_wang ,
Can you please provide me the whole FIX for linux machine in correct format.?
Thanks,
Antony S