Qlik Scalability tools and log4j

The Qlikview  Scalability Tool is itself not vulnerable to log4j exploits. The tool to fully function need to  utilize Apache JMeter (not shipped with the tools itself) to send the scenarios to QlikView. Apache JMeter is affected see more details here https://blogs.apache.org/security/entry/cve-2021-44228

The supported JMeter versions for the tool are 4.0 (recommended) and 5.0.

JMeter 5.4.1 and newer are still not compatible with the Scalability tools.

The Qlik Sense Scalability Tools are not effected they use a diffent set of tools.

Environment

• Qlikview Scalability Tools

Resolution

Upgrade the libraries in the 4.0 and 5.0 version to log4j-2.17.1 to mitigate the risk.

• with version 4.0 installed C:\JMeter\apache-jmeter-4.0 you can run this script replace_log4j_jmeter4.bat
• with version 5.0 installed C:\JMeter\apache-jmeter-5.0 you can run this script replace_log4j_jmeter5.bat

The log4j files to be replaced with version 2.17.1 are:

• log4j-1.2-api-*.jar
• log4j-api-*.jar
• log4j-core-*.jar
• log4j-slf4j-impl-*.jar

Both files are attached in the batchfiles.zip below. If you use any other version or location you just adjust the folder name.