Skip to main content

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Announcements
Week 5: Getting Answers With AI + A New Era of Data Governance - WATCH NOW

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

No ratings
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Jamie_Gregory
Community Manager

CVE_2021_44228 - Handling the log4j lookups critical vulnerability for Qlik Replicate

Last Update:

Jan 25, 2022 7:47:50 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 13, 2021 3:25:57 PM

Attachments
log4j_files_to_address_vulnerabilities.zip

Qlik is providing these mitigation steps as a temporary measure. A patch will be provided and linked here; customers are advised to move to the patch as soon as it is available.

Patches are available. See Vulnerability Testing - Apache Log4j, reference CVE-2021-44228 (also referred to as Log4Shell)  for your release and the relevant patch.

Upgrade at the earliest.

 

Environment:

 

 

Mitigation steps to follow Replicate log4j vulnerability:

 

Mitigation - Endpoint Server - Windows

 

  1. Edit the file <installation-root>\Replicate\endpoint_srv\bin\rependctl.bat 

    (<installation-root> typically refers to C:\Program Files\Attunity)

  2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

    @echo off
    REM attunity endpoints server configuration/run script

    FOR %%A IN ("%~dp0..") DO SET AT_PROD=%%~fA

    REM list plugins here
    SET AT_PLUGIN_LIST=-plugins rependsrv

    REM set data directory based on the name of this script
    SET AT_DATA_SUFFIX=
    FOR /F "tokens=2 delims=_" %%A IN ("%~n0") DO SET AT_DATA_SUFFIX=%%A

    IF "%AT_DATA_SUFFIX%" == "" (
        SET AT_DATA=
    ) ELSE (
        SET AT_DATA=-d data_%AT_DATA_SUFFIX%
    )

    IF EXIST "%AT_PROD%\jvm" (
        SET AT_JAVA=%AT_PROD%\jvm\bin\java.exe
    ) ELSE IF EXIST "%AT_PROD%\..\jvm" (
        SET AT_JAVA=%AT_PROD%\..\jvm\bin\java.exe
    ) ELSE IF "%JAVA_HOME%" == "" (
        ECHO ERROR: JAVA Cannot be found
        EXIT /b -1
    ) ELSE (
        SET AT_JAVA=%JAVA_HOME%\bin\java.exe
    )

    SET AT_EXTERNAL=%AT_PROD%\externals
    SET AT_LIB=%AT_PROD%\lib
    SET AT_MAIN=com.attunity.infrastructure.server.PluginServer

    REM                                         <--------------- Fix Here ------------→
    "%AT_JAVA%" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 %AT_JVM_OPT% -cp "%AT_EXTERNAL%"/*;"%AT_LIB%"/* %AT_MAIN% %AT_DATA% %AT_PLUGIN_LIST% %*
  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
    $ cd <installation-root>\Replicate\endpoint_srv\externals\

$ ren log4j-core-<version#>.jar  ..\log4j-core-<version#>.jar-vulnerable
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Replicate Windows service with the command:

     
    $ sc stop AttunityReplicateServer

    $ sc start AttunityReplicateServer

 

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

 

Mitigation - Endpoint Server - Linux

 

  1. Edit the file <installation-root>/replicate/endpoint_srv/bin/rependctl.sh (<installation-root> typically refers to /opt/attunity)
  2. Add the string -Dlog4j2.formatMsgNoLookups=true in the highlighted location shown below (last line of script):

    #!/bin/bash

    # attunity endpoints server configuration/run script

    DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

    AT_PROD="${DIR}/.."

    AT_PLUGIN_LIST="rependsrv"

    if [ -d "${AT_PROD}/jvm" ]; then
        AT_JAVA="${AT_PROD}/jvm/bin/java"
    elif [ -d "${AT_PROD}/../jvm" ]; then
        AT_JAVA="${AT_PROD}/../jvm/bin/java"
    elif [ -z "$JAVA_HOME" ]; then
        echo "ERROR: JAVA Cannot be found"
        exit -1
    else
        AT_JAVA="${JAVA_HOME}/bin/java"
    fi

    AT_EXTERNAL="${AT_PROD}/externals"
    AT_LIB="${AT_PROD}/lib"
    AT_MAIN="com.attunity.infrastructure.server.PluginServer"

    if [ -z "$AT_DATA" ]; then
        AT_DATA="${AT_PROD}/data"
    fi

    AT_CP="${AT_EXTERNAL}/*:${AT_LIB}/*"

    #                         <----------- Fix Here --------->
    "${AT_JAVA}" -XX:+UseG1GC -Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8 ${AT_JVM_OPT} -cp "${AT_CP}" "${AT_MAIN}" -d "${AT_DATA}" -plugins "${AT_PLUGIN_LIST}" "${@:1}"

  3. Save the file.
  4. Locate the vulnerable log4j-core-<version#>.jar file and rename/move it to ..\log4j-core-<version#>.jar-vulnerable.
    $ cd <installation-root>/replicate/endpoint_srv/externals

$ mv log4j-core-<version#>.jar  ../log4j-core-<version#>.jar-vulnerable
  5. Download the non-vulnerable jar named log4j-core-nolookup-<version#>.jar  from this page and place it in the same location as the vulnerable jar.
  6. Restart the Replicate service with the command:

    # service areplicate restart

 

Note that if you have customized Replicate start scripts or if you are running multiple instances of Replicate on the same machine, you will have to repeat this process for the different environments and perform the equivalent edit on your modified start scripts.

 

Mitigation - Client Samples in Java

 

The client samples are intended for demonstration - if they were used to build an application, make sure the application uses the latest version of the log4j component (v2.15) or, alternatively, apply similar mitigation to the ones listed above by adding the system property.

 

For more information on the Log4j vulnerability, please visit the Support Updates Blog post.

22,454 Views
Was this article helpful? Yes No
Comments
dcamacho
Contributor
‎2021-12-13 04:37 PM

Is the Linux fix for this page correct? It looks like the Windows scripting is being used for the Linux version of the script.

Shouldn't "%AT_JAVA%" be "${AT_JAVA}"?

Best!

  Dana

jfife
Contributor
‎2021-12-13 05:01 PM

Yes, the Linux "fix" is incorrect. I just added ‐Dlog4j2.formatMsgNoLookups=true to the line in the existing file.

dcamacho
Contributor
‎2021-12-13 05:05 PM

Okay, that makes more sense to me.

Thank you!

   Dana

 

john_wang
Support
‎2021-12-14 02:21 AM

Hello All,

Please pay special attention that the first character (in red) is incorrect:

#                                                <--------------- Fix Here ------------→
"%AT_JAVA%" -XX:+UseG1GC ‐Dlog4j2.formatMsgNoLookups=true -Dfile.encoding=UTF-8

 

it should be an hyphen. So far the first line is WRONG (it's in Unicode ), The second line is correct (it's ASCII Hyphen):

john_wang_0-1639466253652.png

While you add the parameter, please manually change the first char to hyphen in Linux editor (or DO NOT copy it from page but input the string manually). Otherwise the Endpoint Server cannot be startup anymore with error in "repsrv.log":

 

 

00414190: 2021-12-14T15:05:06 [AT_GLOBAL       ]I:  Attunity Replicate Server Log (V2021.5.0.1082 qlik.localdomain Linux 4.18.0-193.6.3.el8_2.x86_64 #1 SMP Wed Jun 10 11:09:32 UTC 2020 x86_64 64-bit, Revision:495b508a49b7f88b137640419bb7ced42be10909, PID: 414189) started at Tue Dec 14 15:05:06 2021  (at_logger.c:2652)
00414190: 2021-12-14T15:05:06 [AT_GLOBAL       ]I:  Licensed to Qlik, evaluation license (107 days remaining), all sources, all targets, all hosts  (at_logger.c:2655)
00414190: 2021-12-14T15:05:06 [AT_GLOBAL       ]I:  Logging of database data is disabled  (at_logger.c:2665)
00414190: 2021-12-14T15:05:06 [UTILITIES       ]I:  Scheduler configuration has been loaded.  (scheduler.c:386)
00414190: 2021-12-14T15:05:06 [AT_GLOBAL       ]E:  Failed to set Endpoint Server admin password [1024713]  (ar_endpoint_servers_mgr.c:866)
00414190: 2021-12-14T15:05:06 [AT_GLOBAL       ]E:  Failed to prepare the bundled endpoint server [1024713]  (ar_endpoint_servers_mgr.c:437)

 

 

 

Regards,

John.

 

Antony_05
Contributor III
‎2021-12-14 06:44 AM

Hi,

I added this string in one of my qlik replicate server v6.6.0.177 but now when I'm starting the service again its not getting started. 

Can anyone please help me on this.?

Thanks,

Antony S

john_wang
Support
‎2021-12-14 06:53 AM

Hello @Antony_05 ,

Can you check my previous comment to see if it helps?

BTW, please check "repsrv.log" to get further information about the failure.

Regards,

John.

Antony_05
Contributor III
‎2021-12-14 07:06 AM

Hi @john_wang ,

I just used the same string as you previously mentioned in a comment and I saved it in ANSI format, after that I stopped the service using the same comment mentioned. But we I tried starting it again I got an error like the instance is running.

So I tried again after some time and now the start is running but the service is not getting started and when I'm trying to stop it shows the following error.

ERROR: "

[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

"

Please help me on this.? Also please let me know where to find the repsrv.log file

Thanks, 

Antony S

john_wang
Support
‎2021-12-14 07:14 AM

Hello @Antony_05 , 

Well, you are running Replicate on Windows.

Please use the Windows Service Manager to start/stop the services. It's easier for you to know if the Service is running or not.

BTW, the "repsrv.log" default location is <installation-root>\Replicate\data\logs. For example "C:\Program Files\Attunity\Replicate\data\logs".

Regards,

John.

Antony_05
Contributor III
‎2021-12-14 07:17 AM

Hi @john_wang ,

I just restarted the machine and now the service is running fine. 🙂

Thanks,

Antony S

john_wang
Support
‎2021-12-14 07:43 AM

Hi @Antony_05 ,

Glad to hear that. 

Regards,
John.

Version history
Last update:
‎2022-01-25 07:47 AM
Updated by:
Top