Skip to main content

Qlik

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Announcements
UPGRADE ADVISORY for Qlik Replicate 2024.5: Read More
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
PICTConversionTeamDevs
Contributor II
‎2024-09-05 11:32 AM

Apache Log4j Vulenrability

we have found below two Vulnerability for file Attunity\Replicate\java\java_file_factory.jar
CVE-2019-17571
CVE-2022-23305

Back in 2021, we did fix the Apache Log4j vulnerability by upgrading it to the higher version with the following documents, but somehow the file Attunity\Replicate\java\java_file_factory.jar still reference to old log4j

PS D:\Attunity\Replicate\endpoint_srv\externals> ls log4j*


Directory: D:\Attunity\Replicate\endpoint_srv\externals


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/3/2020 11:09 AM 264060 log4j-api-2.11.1.jar
-a---- 6/3/2020 11:09 AM 1607947 log4j-core-2.11.1.jar-vulnerable
-a---- 12/17/2021 4:03 PM 1589223 log4j-core-nolookup-2.11.1.jar


We know QLIK does not support Replicate 6.6 and can't provide any fix. Does anyone know if there is any fix/workaround to update the log4j version in file Attunity\Replicate\java\java_file_factory.jar

we are planning to upgrade qlik replcate but that will take some time. 

Labels (1)
Labels
695 Views
6 Replies
Dana_Baldwin
Support
‎2024-09-05 02:22 PM

Hi @PICTConversionTeamDevs 

As you have mentioned, upgrading from version 6.6 is the best course of action to alleviate this vulnerability, but we do understand that an upgrade should be well planned and tested, especially when moving from an unsupported version as you will need to apply more than one upgrade.

Please refer to this knowledge article on how to update log4j without upgrading Replicate. Please test this thoroughly in a pre-production environment before attempting in production: CVE-2021-45105/CVE-2021-44832 - Update to log4j 2.... - Qlik Community - 1876190

As you plan your upgrade, you may find this information helpful:

Upgrade guide/best practices: Qlik Replicate Upgrade Best Practices - Qlik Community - 1729651

As noted in this link, please ensure your operating system, source/target endpoint versions are supported, and any needed updates to driver software are considered.

Please refer to the release notes for the version you will upgrade to regarding which versions need to be installed to get to your desired end version.

I hope this helps!

Dana

663 Views
PICTConversionTeamDevs
Contributor II
‎2024-09-05 02:40 PM
Author

Thanks for the details. We followed similar documents around 2021 to upgrade the log4j from 1.2.17 to 2.* version.

Directory: D:\Attunity\Replicate\endpoint_srv\externals


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/3/2020 11:09 AM 264060 log4j-api-2.11.1.jar
-a---- 6/3/2020 11:09 AM 1607947 log4j-core-2.11.1.jar-vulnerable
-a---- 12/17/2021 4:03 PM 1589223 log4j-core-nolookup-2.11.1.jar


but somehow this file "Attunity\Replicate\java\java_file_factory.jar"   is still  referencing to log4j 1.2.17

Do you think upgrading the log4j from 2.11.1 to 2.17.1, as mentioned in this document will also update the log4j version in the file Attunity\Replicate\java\java_file_factory.jar??

656 Views
0 Likes
Dana_Baldwin
Support
‎2024-09-05 04:09 PM

In response to PICTConversionTeamDevs

Hi @PICTConversionTeamDevs 

It doesn't seem like it would, but we should check on this issue with our internal support team / R & D. We don't have a way to elevate issues from our forum to them, could you please open a support case for this?

Thanks,

Dana

640 Views
john_wang
Support
‎2024-09-05 09:24 PM

Hello @PICTConversionTeamDevs ,

Besides @Dana_Baldwin comments, looks to me the two vulnerabilities  do not apply to Qlik Replicate as Qlik Replicate do not use the SocketServer class and Apache Chainsaw. Let's get confirmation from CF/R&D.

Thanks,

John.

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!
602 Views
PICTConversionTeamDevs
Contributor II
‎2024-09-06 02:13 PM
Author

In response to john_wang

Thanks John,

Those two vulnerabilities are for Log4J 1.2.17, referenced in qlik path \Attunity\Replicate\java\java_file_factory.jar.

We may need to either update the version in that jar file or remove the reference.

I already have a QLIK case open regarding this issue.

00306526: Apache Log4j Vulenrability

573 Views
john_wang
Support
‎2024-09-08 07:00 AM

Thank you @PICTConversionTeamDevs , our support will work on it.

Regards,

John.

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!
539 Views
Top