Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
UPGRADE ADVISORY for Qlik Replicate 2024.5: Read More
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Vikki
Contributor II
Contributor II
‎2022-05-05 12:57 PM

Qlik Visibility - CVE-2021-44228: Visibility-Client.jar file vulnerability

Looking for guidance on Security vulnerability noted:

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following paths are showing in our Security scan results:
Path:/opt/attunity/visibility/product/v7/java/lib/MapR/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1
Path:/opt/attunity/visibility/product/v7/java/lib/CDH_5.10/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1

Please advise on guidance.

Regards,

Vikki Turner

Labels (1)
Labels
1,461 Views
3 Solutions

Accepted Solutions
Nanda_Ravindra
Support
Support
‎2022-06-16 04:44 PM

In response to Nanda_Ravindra

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

View solution in original post

1,252 Views
Nanda_Ravindra
Support
Support
‎2022-06-22 04:04 PM

In response to lyka

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda

View solution in original post

1,183 Views
0 Likes
8 Replies
lyka
Support
Support
‎2022-05-05 01:01 PM

Good Day!

 

FYR. 

 

https://community.qlik.com/t5/Get-Started/FAQ-for-Log4J-Vulnerabilities/ta-p/1893106

 

Please note that Visibility is a retired product and no longer supported

 

https://community.qlik.com/t5/Support-Updates-Blog/Retirement-of-legacy-Attunity-products-on-January...

 

Thanks

Lyka

1,458 Views
Vikki
Contributor II
Contributor II
‎2022-05-12 02:54 PM
Author

Hi Lyka,

I am currently reviewing your reply. It will take a couple of days to provide a response. Thank you so much for your reply.

Vikki Turner

vikki.turner@pnc.com

1,349 Views
Vikki
Contributor II
Contributor II
‎2022-05-13 12:22 PM
Author

Hi Lyka,

I'm not seeing my latest reply. Is there a Log4j 'Log4Shell' v2.15 available patch for Qlik Visibility?

Please advise.

Vikki Turner

1,330 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-15 05:20 PM

In response to Vikki

@Vikki I am checking on this and I'll get back to you.

 

Thanks,

Nanda

1,266 Views
Nanda_Ravindra
Support
Support
‎2022-06-16 04:44 PM

In response to Nanda_Ravindra

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

1,253 Views
lyka
Support
Support
‎2022-06-20 11:39 AM

In response to Vikki

Hello,

 

Reposting here the same response from your similar post:

 

This was checked with the R&D team, and they did confirm that it needs a code rebuild and since the product has reached the end of life, we won't be able to build the code and share the new build.

 

Thanks

Lyka

 

1,211 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-21 01:58 PM

In response to Nanda_Ravindra

@Vikki Still working with R&D on this. I'll get back to you as soon as I have something to share with you.

 

Thanks,

Nanda

1,199 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-22 04:04 PM

In response to lyka

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda

1,184 Views
0 Likes