Skip to main content
Announcements
UPGRADE ADVISORY for Qlik Replicate 2024.5: Read More
cancel
Showing results for 
Search instead for 
Did you mean: 
Vikki
Contributor II
Contributor II

Qlik Visibility - CVE-2021-44228: Visibility-Client.jar file vulnerability

Looking for guidance on Security vulnerability noted:

The version of Apache Log4j on the remote host is 2.x < 2.3.1 / 2.4 < 2.12.3 / 2.13 < 2.15.0. It is, therefore, affected by a remote code execution vulnerability in the JDNI parser due to improper log validation. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Log4j 1.x, which reached its End of Life prior to 2016, comes with JMSAppender which will perform a JNDI lookup if enabled in Log4j's configuration file, hence customers should evaluate triggers in 1.x based on the risk that it is EOL and whether JNDI lookups are enabled. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The following paths are showing in our Security scan results:
Path:/opt/attunity/visibility/product/v7/java/lib/MapR/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1
Path:/opt/attunity/visibility/product/v7/java/lib/CDH_5.10/visibility-client.jar - Note: Installed version:2.3 and Fixed version:2.3.1

Please advise on guidance.

Regards,

Vikki Turner

Labels (1)
3 Solutions

Accepted Solutions
Nanda_Ravindra
Support
Support

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

View solution in original post

Nanda_Ravindra
Support
Support

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda

View solution in original post

8 Replies
lyka
Support
Support

Vikki
Contributor II
Contributor II
Author

Hi Lyka,

I am currently reviewing your reply. It will take a couple of days to provide a response. Thank you so much for your reply.

Vikki Turner

vikki.turner@pnc.com

Vikki
Contributor II
Contributor II
Author

Hi Lyka,

I'm not seeing my latest reply. Is there a Log4j 'Log4Shell' v2.15 available patch for Qlik Visibility?

Please advise.

Vikki Turner

Nanda_Ravindra
Support
Support

@Vikki I am checking on this and I'll get back to you.

 

Thanks,

Nanda

Nanda_Ravindra
Support
Support

@Vikki

I am checking on the Log4j 'Log4Shell' v2.15  with R&D and I'll update you on this early next week.

 

Thanks,

Nanda

lyka
Support
Support

Hello,

 

Reposting here the same response from your similar post:

 

This was checked with the R&D team, and they did confirm that it needs a code rebuild and since the product has reached the end of life, we won't be able to build the code and share the new build.

 

Thanks

Lyka

 

Nanda_Ravindra
Support
Support

@Vikki Still working with R&D on this. I'll get back to you as soon as I have something to share with you.

 

Thanks,

Nanda

Nanda_Ravindra
Support
Support

@Vikki I discussed this vulnerability issue with R&D. Since the product has reached the end of life we won't be able to build a new visibility-client.jar file for you. However, we believe you can manually add the log4j-2.3.2  files back into a visibility-client jar file using a third-party tool like 7zip to address this issue.

 

Hope this helps!

Thanks,

Nanda