Qlik Community

Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Announcements
CASE PORTAL: Inability to view all organizations' cases. We are investigating. Thank you for being so patient.
Katie_Davis
Digital Support
Digital Support

Latest update as of 1/20/2022 3:15 PM EST. Updates will be made as new information become available. 

Qlik customers, we have reviewed a third Log4j vulnerability, CVE-2021-45105, and determined the relevant products (Replicate, Compose, QEM and GeoAnalytics) do not use the logging feature and context string defined in the CVE. Qlik considers the risks of Denial-Of-Service to be low and will address this in future patch releases.

For Catalog, Qlik has published service releases for May,  August, and November 2021 versions with upgraded Log4j 2.17.0 to the downloads pages linked below . 

------------

Qlik customers, we have learned on Friday 12/15/21 that a second Log4j vulnerability, CVE-2021-45046, has also been assessed as critical and that our mitigation steps for Replicate, Compose, and QEM do not fully protect against this new vector.

We have published updated mitigation steps for these products. The steps are linked below.

------------

Original post:

Qlik is aware of the recently published security vulnerability in Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell). As soon as the vulnerability was published, Qlik immediately began a security investigation to determine if and how Qlik’s products and services are impacted. 

Here's what we know right now:

  • The following products are not affected:
    • Qlik Sense Enterprise, all supported versions
    • Qlik Sense Enterprise SaaS
    • QlikView, all supported versions
    • Nprinting, all supported versions
    • Qlik Alerting, all supported versions
    • Qlik Web Connectors, all supported versions
    • Qlik RepliWeb and ARC, all supported versions
    • AIS, including ARC, all supported version
    • Nodegraph
    • AutoML
    • Qlik Catalog supported versions before May 2021 are not affected
    • Blendr
    • Qlik Data Transfer
    • Salesforce and SAP Connectors are not affected
    • Qlik Forts
    • ODBC Connector Package
    • REST Connectors
    • Qlik Sense Business
  • The following products are under review:
    • Attunity Visibility

 

The following products are affected. Qlik is providing these mitigation steps as a temporary measure. Patches will be provided and linked here; customers are advised to install the patches as soon as they are available. 

Product and Version

Mitigation Steps

Patch Includes

Date Available

Compose 2021.8

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Compose 2021.5

steps to mitigate are available. 

Log4J Upgrade to 2.16.0

Published 

Compose 2021.2

steps to mitigate are available.

Log4J Upgrade to 2.16.0

Published 

C4DW 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DW 6.6.1

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DW 6.6

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DL 6.6

steps to mitigate are available 

Log4J Upgrade to 2.16.0

Published 

Replicate 2021.11

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Replicate 2021.5

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Replicate 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Replicate 6.6

 steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 2021.11

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 2021.5

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 6.6

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Catalog 4.12.0, 4.12.1

steps to mitigate are available

Log4J Upgrade to 2.17.0

 Published 

Catalog 4.11.0, 4.11.1

steps to mitigate are available

Log4J Upgrade to 2.17.0

 Published 

Catalog 4.10.0, 4.10.1, 4.10.2

steps to mitigate are available

Log4J Upgrade to 2.17.0

 Published 

GeoAnalytics Server - 4.32.3 and 4.23.4

steps to mitigate are available

November 2021 Patch 1: Log4J Upgrade to 2.16.0

November 2021 Patch 2: Log4j Upgrade to 2.17.0

Published 

GeoAnalytics Server - 4.27.3 - 4.19.1

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

GeoAnalytics Plus - 5.31.1 and 5.31.2

 steps to mitigate are available

Log4J Upgrade to 2.16.0

Published

GeoAnalytics Plus - 5.30.1-5.29.4

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

GeoAnalytics Plus - 5.28.2-5.27.5

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

GeoAnalytics Plus - 5.26.5

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

 

Downloads can be accessed by visiting Software Download | Qlik.com, then selecting the product then the latest release.

Please keep in mind that Qlik's on-premise (or client-managed) data integration products are intended to only be accessed on an internal network; therefore any potential impacts of CVE-2021-44228 should be mitigated by your internal network and access controls.

For information on supported versions, please visit the Product Support Lifecycle

 

Please subscribe to our Support Updates blog for continued updates. 

Thank you for choosing Qlik, 

Qlik Global Support

 

Change Log:

  • Post Created Dec. 11, 2021
  • Dec. 11, 2021 1:30pm EST: Updated article to specify which products were confirmed as not affected or still under evaluation
  • Dec. 12, 2021 2:00pm EST: Updated to state that QCS was not affected; added additional products as under evaluation
  • Dec. 13, 2021 12:15pm EST: Updated to specify which versions applied to not affected products; added changelog.

  • Dec. 13, 2021 3:15pm EST: Updated to specify which versions are affected with steps to mitigate and which products we are still evaluating.

  • Dec. 13, 2021 5:10pm EST: Added GeoAnalytics Plus mitigation, and expanded "not affected" section to further products. 5:55pm EST added AIS to not affected list.
  • Dec. 14, 2021 2:10pm EST: Added Qlik Catalog, Blendr, and Qlik Data Transfer to reviewed list. Added mitigation steps for Qlik Catalog.

  • Dec. 14, 2021 2:45pm EST: Added JDBC, Salesforce and SAP Connectors to the not affected list.
  • Dec. 15, 2021 3:05pm EST: Added Patch schedule, and the following items to NOT affected: Qlik Forts, ODBC Connector, REST connectors, and Qlik Sense Business. 
  • Dec. 16, 2021 1:15pm EST: Updated Catalog version details in Patch schedule. 

  • Dec. 17, 2021: 3:25pm EST: Mitigation steps for Compose, Replicate, and QEM were updated
  • Dec. 20, 2021 9:00am EST: Updated link to Catalog patches.
  • Dec. 20, 2021 1:15pm EST: Updated top post for status of CVE-2021-45105 and language around Catalog to be 'Hotfix' with full version patches in early Jan. 2022 in published.

  • Dec. 21, 2021 3:45pm EST: Updated Catalog to be 'Service Releases' with full version 2.17 published to downloads page. 

  • Dec. 22, 2021 8:30am EST: Compose 2021.8 released on Qlik Download pages
  • Dec. 28, 2021 10:40am EST: Compose 2021.2 -- SR1, Replicate 2021.5 -- SR5, and QEM 2021.5 -- SR5 released on Qlik Download pages and marked as published. 12:00pm combined mitigation links with Patch release schedule chart.
  • Dec. 30, 2021 11:00am EST: Patch Release published for C4DW 7.0 - 2021 -- SR4
  • January 6, 2021 9:30am EST: Updated expected time for GeoAnalytics patches to "Early January".
  • January 11, 2022 7:00am EST: Updated to reflect all GeoAnalytics patches as published.
  • January 14, 2022 2:00pm EST: Marked the following patches as published: C4DW 6.6.0 -- SR06,C4DW 6.6.1 -- SR03, C4DL 6.6.0 -- SR09, Replicate 6.6.0 -- SR06, Replicate 7.0.0 -- SR05, QEM 6.6.0 -- SR03, QEM 7.0.0 -- SR05
  • January 20, 2022 3:15pm EST: Clarified that there are two patches for GeoAnalytics November 2021. Patch 2 updates log4j to 2.17.0

175 Comments