Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
Katie_Davis
Digital Support
Digital Support

Latest update as of Feb. 15, 2022. All current threats have been addressed. 

Further updates will be made as new information becomes available. 

Qlik has been diligently reviewing and testing our product suite since we’ve become aware of the Apache Log4j vulnerability mid-December.  We want to ensure Qlik users that your security is our upmost priority. We have addressed multiple vulnerabilities through a series of product patches for supported affected versions and we recommend you update to the most recent releases available, shown in the chart below.

Log4j versions before v2.16 presented the highest threat and all exposed Qlik products have provided patches with at least v2.16 and will all be updated to v2.17.1 or later under the regular release schedule as we are not vulnerable to the CVEs related to 2.17.0

We’d like to direct you to our FAQ document to review should you have any further questions, and we encourage you to comment with any additional questions.

The following products are not affected:

    • Qlik Sense Enterprise, all supported versions
    • Qlik Sense Enterprise SaaS
    • QlikView, all supported versions
    • Nprinting, all supported versions
    • Qlik Alerting, all supported versions
    • Qlik Web Connectors, all supported versions
    • Qlik RepliWeb and ARC, all supported versions
    • AIS, including ARC, all supported version
    • Nodegraph
    • AutoML
    • Qlik Catalog supported versions before May 2021 are not affected
    • Blendr
    • Qlik Data Transfer
    • Salesforce and SAP Connectors are not affected
    • Qlik Forts
    • ODBC Connector Package
    • REST Connectors
    • Qlik Sense Business

 

The following products are under review:

    • Attunity Visibility

The following products are affected. Qlik has provided patches linked here; customers are advised to install the patches at their earliest convenience.  

Downloads can be accessed by visiting our new Downloads page  on Qlik Community when signed in with your Qlik ID , then selecting the product then the latest release.

Affected Product Version

CVE-2021-44228

CVE-2021-45046

CVE-2021-45105

CVE-2021-44832

Recommended Action

Log4J Version included in patch

Compose 2021.8

Vulnerable, solved by patch

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

Install 2021.8 SR01

Up to 2.16.0

Compose 2021.5

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 2021.5 SR01

Up to 2.16.0

Compose 2021.2

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 2021.2 SR01

Up to 2.16.0

C4DW 7.0

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 7.0 2021 SR04

Up to 2.16.0

C4DW 6.6.1

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 6.6.1 SR03

Up to 2.16.0

C4DW 6.6

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 6.6.0 SR06

Up to 2.16.0

 

C4DL 6.6

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 6.6.0 SR09

Up to 2.16.0

 

Replicate 2021.11

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install version published 22 Dec 2021

Up to 2.16.0

 

Replicate 2021.5

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 2021.5 SR 05

Up to 2.16.0

 

Replicate 7.0

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 7.0.0 SR05 

Up to 2.16.0

 

Replicate 6.6

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 6.6.0 SR06

Up to 2.16.0

 

QEM 2021.11

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install version published 22 Dec 2021

Up to 2.16.0

 

QEM 2021.5

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 2021.5 SR05

Up to 2.16.0

 

QEM 7.0

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 7.0.0 SR05

Up to 2.16.0

 

QEM 6.6

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not vulnerable

 

Not vulnerable

 

Install 6.6.0 SR03

Up to 2.16.0

 

Catalog 4.12.0, 4.12.1

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not Vulnerable, JDBC Appender not configured

Install 4.12.2

Up to 2.17.0

 

Catalog 4.11.0, 4.11.1

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not Vulnerable, JDBC Appender not configured

Install 4.11.2

Up to 2.17.0

 

Catalog 4.10.0, 4.10.1, 4.10.2

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Vulnerable, solved by patch

 

Not Vulnerable, JDBC Appender not configured

Install 4.10.3

Up to 2.17.0

 

GeoAnalytics Server - 4.32.3 and 4.23.4

Vulnerable, solved by patch Vulnerable, solved by patch Vulnerable, solved by patch Vulnerable, solved by patch

Install 4.32.5

Up to 2.17.1

GeoAnalytics Server - 4.27.3 - 4.19.1

Vulnerable, solved by patch Vulnerable, solved by patch Vulnerable, solved by patch Vulnerable, solved by patch

Install 4.27.4 – 4.19.2

Up to 2.17.1

GeoAnalytics Plus - 5.31.1 and 5.31.2

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Install 5.31.3

Up to 2.17.1

GeoAnalytics Plus - 5.30.1-5.29.4

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Install 5.30.2 – 5.29.5

Up to 2.17.1

GeoAnalytics Plus - 5.28.2-5.27.5

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Install 5.28.3 – 5.27.6

Up to 2.17.1

GeoAnalytics Plus - 5.26.5

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Vulnerable, solved by patch

Install 5.26.6

Up to 2.17.1

 

Please keep in mind that Qlik's on-premise (or client-managed) data integration products are intended to only be accessed on an internal network; therefore any potential impacts of CVE-2021-44228 should be mitigated by your internal network and access controls.

For information on supported versions, please visit the Product Support Lifecycle

 

Please subscribe to our Support Updates blog for continued updates. 

Thank you for choosing Qlik, 

Qlik Global Support

 

 

Change Log:

  • Post Created Dec. 11, 2021
  • Dec. 11, 2021 1:30pm EST: Updated article to specify which products were confirmed as not affected or still under evaluation
  • Dec. 12, 2021 2:00pm EST: Updated to state that QCS was not affected; added additional products as under evaluation
  • Dec. 13, 2021 12:15pm EST: Updated to specify which versions applied to not affected products; added changelog.

  • Dec. 13, 2021 3:15pm EST: Updated to specify which versions are affected with steps to mitigate and which products we are still evaluating.

  • Dec. 13, 2021 5:10pm EST: Added GeoAnalytics Plus mitigation, and expanded "not affected" section to further products. 5:55pm EST added AIS to not affected list.
  • Dec. 14, 2021 2:10pm EST: Added Qlik Catalog, Blendr, and Qlik Data Transfer to reviewed list. Added mitigation steps for Qlik Catalog.

  • Dec. 14, 2021 2:45pm EST: Added JDBC, Salesforce and SAP Connectors to the not affected list.
  • Dec. 15, 2021 3:05pm EST: Added Patch schedule, and the following items to NOT affected: Qlik Forts, ODBC Connector, REST connectors, and Qlik Sense Business. 
  • Dec. 16, 2021 1:15pm EST: Updated Catalog version details in Patch schedule. 

  • Dec. 17, 2021: 3:25pm EST: Mitigation steps for Compose, Replicate, and QEM were updated
  • Dec. 20, 2021 9:00am EST: Updated link to Catalog patches.
  • Dec. 20, 2021 1:15pm EST: Updated top post for status of CVE-2021-45105 and language around Catalog to be 'Hotfix' with full version patches in early Jan. 2022 in published.

  • Dec. 21, 2021 3:45pm EST: Updated Catalog to be 'Service Releases' with full version 2.17 published to downloads page. 

  • Dec. 22, 2021 8:30am EST: Compose 2021.8 released on Qlik Download pages
  • Dec. 28, 2021 10:40am EST: Compose 2021.2 -- SR1, Replicate 2021.5 -- SR5, and QEM 2021.5 -- SR5 released on Qlik Download pages and marked as published. 12:00pm combined mitigation links with Patch release schedule chart.
  • Dec. 30, 2021 11:00am EST: Patch Release published for C4DW 7.0 - 2021 -- SR4
  • January 6, 2021 9:30am EST: Updated expected time for GeoAnalytics patches to "Early January".
  • January 11, 2022 7:00am EST: Updated to reflect all GeoAnalytics patches as published.
  • January 14, 2022 2:00pm EST: Marked the following patches as published: C4DW 6.6.0 -- SR06,C4DW 6.6.1 -- SR03, C4DL 6.6.0 -- SR09, Replicate 6.6.0 -- SR06, Replicate 7.0.0 -- SR05, QEM 6.6.0 -- SR03, QEM 7.0.0 -- SR05
  • January 20, 2022 3:15pm EST: Clarified that there are two patches for GeoAnalytics November 2021. Patch 2 updates log4j to 2.17.0
  • February 15, 2022 4:00pm EST: Updated chart to breakout vulnerabilities per product, reflect the latest patch versions to upgrade to, changed post title, and clarified intro statement.

217 Comments
john_wang
Support
Support

Hi @Gaurav2 ,

Thank you so much for your update.

Please remember to restart the services after removing the jar files (because they are loaded into memory already).

Feel free to let us know if you need any additional information. We are glad to help.

Regards,

John.

1,021 Views
ayandeepdas
Contributor
Contributor

Hi Team,

I saw the patch release for replicate version 7 and QEM version 7 is pending early January. May I know when you are planning to release it as it is almost mid of Jan. Also there is a requirement of using version 2.16 onwards however in some cases it is used as 2.11. A bit of confusion arises here

Thanks

Ayandeep

909 Views
john_wang
Support
Support

Hello @ayandeepdas ,

Thanks for you following up.

I saw the patch release for replicate version 7 and QEM version 7 is pending early January. May I know when you are planning to release it as it is almost mid of Jan. 

We are at the last step of the Replicate/QEM 7.0/6.6, it should be published in 2 days, at the least next Monday.

 


Also there is a requirement of using version 2.16 onwards however in some cases it is used as 2.11. A bit of confusion arises here

Most of log4j patches for QDI Products (Replicate, QEM, Compose etc) contains log4j version 2.16.0 (up to today). Certainly log4j 2.11 was used in Replicate 7.0/6.6 previous releases( before the patch). If you found some patch contains 2.11, please let me know.

BTW, the log4j can be update to log4j 2.17.1 manually, after the log4j patch applied.

Let me know if you need any additional assistance.

Regards,

John.

 

1,504 Views
Kunal9889
Contributor II
Contributor II

Hello When can we get the patch for Replicate 7.0.0.514, its getting delayed. --- Kindly ignore I just read the above comment of the release on monday.

1,369 Views
john_wang
Support
Support

Hello @Kunal9889 ,

Sorry for the delay. In previous comment the latest status is:

We are at the last step of the Replicate/QEM 7.0/6.6, it should be published in 2 days, at the least next Monday.

I will keep you post on the progress.

Let me know if you need any additional information. 

Regards,

John.

1,298 Views
john_wang
Support
Support

Hello @Kunal9889 , @ayandeepdas , @kalpesh97 , @krishnakoppolu , @JuBe , @IDLTeam , @Antony_05 , @rmarri and All,

As the scheduler, the following patches are published today: C4DW 6.6.0 -- SR06,C4DW 6.6.1 -- SR03, C4DL 6.6.0 -- SR09, Replicate 6.6.0 -- SR06, Replicate 7.0.0 -- SR05, QEM 6.6.0 -- SR03, QEM 7.0.0 -- SR05.

The newly released patches list:

Product and Version

Mitigation Steps

Patch Includes

Date Available

C4DW 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DW 6.6.1

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DW 6.6

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

C4DL 6.6

steps to mitigate are available 

Log4J Upgrade to 2.16.0

Published 

Replicate 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Replicate 6.6

 steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 7.0

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

QEM 6.6

steps to mitigate are available

Log4J Upgrade to 2.16.0

Published 

Feel free to let us know if you need any additional information.

Regards,

John.

1,204 Views
AlexGolz
Contributor III
Contributor III

Is it already known when GA patch with log4j 2.17.1 will be released?

1,039 Views
john_wang
Support
Support

Hello @AlexGolz ,

Regarding your question:


Is it already known when GA patch with log4j 2.17.1 will be released?

Please allow me some time, I'm going to confirm for you. Will keep you posted.

Regards,

John.

965 Views
john_wang
Support
Support

Hello @Limitix ,

Reg:

Is it already known when GA patch with log4j 2.17.1 will be released?

1- Log4j 2.17.1 (or a later version) will be included in QDI regular schedule release (unless the world finds a new vulnerability that does affect our customers and require immediate response)

2- It's possible to Update to log4j 2.17.1  manually.

Let us know if you need any additional information.

Regards,

John.

1,276 Views
ayandeepdas
Contributor
Contributor

Hi Team,

 

For QEM once we put the patches for version 7 do we need to change anything for Python API connector. I did not see any updates in release notes.

Thanks,

Ayandeep

1,224 Views