Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Vikki
Contributor II
Contributor II
‎2022-05-05 12:57 PM

Qlik Visibility - CVE-2021-44228: Visibility-Client.jar file vulnerability

Looking for guidance on Security vulnerability noted:

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following paths are showing in our Security scan results:
Path:/opt/attunity/visibility/product/v7/java/lib/MapR/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1
Path:/opt/attunity/visibility/product/v7/java/lib/CDH_5.10/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1

Please advise on guidance.

Regards,

Vikki Turner

Labels (1)
Labels
1,018 Views
3 Solutions

Accepted Solutions
Nanda_Ravindra
Support
Support
‎2022-06-16 04:44 PM

In response to Nanda_Ravindra

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

View solution in original post

809 Views
Nanda_Ravindra
Support
Support
‎2022-06-22 04:04 PM

In response to lyka

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda

View solution in original post

740 Views
0 Likes
8 Replies
lyka
Support
Support
‎2022-05-05 01:01 PM

Good Day!

 

FYR. 

 

https://community.qlik.com/t5/Get-Started/FAQ-for-Log4J-Vulnerabilities/ta-p/1893106

 

Please note that Visibility is a retired product and no longer supported

 

https://community.qlik.com/t5/Support-Updates-Blog/Retirement-of-legacy-Attunity-products-on-January...

 

Thanks

Lyka

1,015 Views
Vikki
Contributor II
Contributor II
‎2022-05-12 02:54 PM
Author

Hi Lyka,

I am currently reviewing your reply. It will take a couple of days to provide a response. Thank you so much for your reply.

Vikki Turner

vikki.turner@pnc.com

906 Views
Vikki
Contributor II
Contributor II
‎2022-05-13 12:22 PM
Author

Hi Lyka,

I'm not seeing my latest reply. Is there a Log4j 'Log4Shell' v2.15 available patch for Qlik Visibility?

Please advise.

Vikki Turner

887 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-15 05:20 PM

In response to Vikki

@Vikki I am checking on this and I'll get back to you.

 

Thanks,

Nanda

823 Views
Nanda_Ravindra
Support
Support
‎2022-06-16 04:44 PM

In response to Nanda_Ravindra

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

810 Views
lyka
Support
Support
‎2022-06-20 11:39 AM

In response to Vikki

Hello,

 

Reposting here the same response from your similar post:

 

This was checked with the R&D team, and they did confirm that it needs a code rebuild and since the product has reached the end of life, we won't be able to build the code and share the new build.

 

Thanks

Lyka

 

768 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-21 01:58 PM

In response to Nanda_Ravindra

@Vikki Still working with R&D on this. I'll get back to you as soon as I have something to share with you.

 

Thanks,

Nanda

756 Views
0 Likes
Nanda_Ravindra
Support
Support
‎2022-06-22 04:04 PM

In response to lyka

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda

741 Views
0 Likes