The log4j-1.2.17.jar has reached End of Life in 2015 and is no longer supported. So, the users should really upgrade to Log4j 2.X to obtain security fixes. Please refer to the below link regarding the end of life and the latest versions.
https://logging.apache.org/log4j/2.x/security.html
Please note that Visibility is a retired product and is no longer supported: Retirement of legacy Attunity products on January 31, 2022
Environment
Qlik Visibility 7.x
If you are still using the application, you can run the below steps to address the CVE-2021-44228 for Visibility.war file. Please carry this step on the lower environment before applying this to PROD.
Below steps should be followed on the Application server where the Qlik Visibility is installed.
-
Stop tomcat
- Rename the current $TOMCAT_HOME/ webapps/visibility/WEB-INF/lib/ log4j-1.2.17.jar to vulnerable_ log4j-1.2.17.jar
-
Download the following files from Maven website
log4j-api-2.17.2.jar
log4j-core-2.17.2.jar
log4j-1.2-api-2.17.2.jar
Here is the link to download:
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/log4j-core-2.17.2.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/log4j-api-2.17.2.jar
https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-1.2-api/2.17.2/log4j-1.2-api-2.17.2.ja...
-
Place the files you downloaded in step#3 under the current $TOMCAT_HOME/webapps/visibility/WEB-INF/lib folder.
- Restart Tomcat
