Re: About Log4j Vulnerabilities and S4 Hana - Qlik Community

Denial · ‎2023-04-04

Hi ,

As we already added a log4j vulnerability in 2021 version, Is it necessary to upgrade this vulnerability in all coming new versions along with 2022 or is it already existing the Qlik Replicate and QEM versions

Does Qlik Replicate will support s4 hana in 2021.5 , 2021.11, 2022.11 versions

We have refereed release versions as well but didnt found much info.

Could you please elaborate on this.

Thanks,

john_wang · ‎2023-04-04

Hello @Denial ,

Thanks for reaching out.

About 2 years ago Qlik released Replicate and QEM new versions 2021.11 with log4j fix version 2.16.0 , see Qlik’s Response to Apache Log4j Vulnerabilities.

As there are different log4j vulnerabilities and corresponding fixes for log4j, Qlik continuously upgrades log4j versions in newer Replicate versions and QEM versions, in 2022.5 & 2022.11 the shipped log4j versions are 2.17.1. The latest build of a major version is highly recommended. You may download the new versions from Qlik download page.

BTW, the next major version, 2023.5 is coming next Month.

Hope this helps.

Regards,

John.

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

Denial · ‎2023-04-04

Hi John,

Thanks for your explanation ,and can you explain same on s4 hana ?

Thanks,

Steve_Nguyen · ‎2023-04-04

@Denial

you can file all the endpoint support from user guide :

https://help.qlik.com/en-US/replicate/November2022/Content/Replicate/Main/Support%20Matrix/supported...

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

Denial · ‎2023-04-05

Hi Steve ,

Got it Thank you !!

Thanks,

bosch91 · ‎2023-04-05

Almost every article I see on how to do this always gives instructions on how to do it for Linux systems. The only thing I found was changing the environment variable, but then I heard that that wasn't sufficient enough depending on the version of Log4j on the system and stuff.

So how do I actually go about detecting if log4j exists on my systems, what version they are, and how to patch them, all on Windows?

https://omegle.onl/ vshare

john_wang · ‎2023-04-07

Hello @bosch91 ,

On Windows, the jar files default location is "C:\Program Files\Attunity\Replicate\endpoint_srv\externals", there are some files eg: log4j-api-2.17.1.jar , log4j-core-2.17.1.jar (if Replicate version is 2022.11). These jar files are used for Endpoint Server which serves some special endpoints eg MongoDB, Salesforce, and SAP etc.

You may replace the log4j jar files with higher versions, then restart Replicate services (take note to move the old versions jar files out of the folder rather than simply renaming them as all files under this folder will be loaded does not matter the suffix name). However, it's better if you can open a support ticket to confirm with support team if there are any compatibility issues of different log4j versions.

If you have not such endpoints in your projects then the Endpoint server can be disabled and these files can be removed from the installation.

Regards,

John.

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

About Log4j Vulnerabilities and S4 Hana

General Question