Qlik has a wide range of products and it seems some of the products have been affected by Log4j Vulnerability and for those products the patches will come either in December or in late January as per the Qlik Security advisory. Nearly 10 of their products have been affected by Log4j and as of know, customer have been asked to take the mitigation steps mentioned below
| Product | Version | Status | Patched |
|---|---|---|---|
| Qlik Sense Enterprise, all supported versions | All | Not Vulnerable | Not Needed |
| Qlik Sense Enterprise SaaS | All | Not Vulnerable | Not Needed |
| QlikView, all supported versions | All | Not Vulnerable | Not Needed |
| Nprinting, all supported versions | All | Not Vulnerable | Not Needed |
| Qlik Alerting, all supported versions | All | Not Vulnerable | Not Needed |
| Qlik Web Connectors, all supported versions | All | Not Vulnerable | Not Needed |
| Qlik RepliWeb and ARC, all supported versions | All | Not Vulnerable | Not Needed |
| AIS, including ARC, all supported version | All | Not Vulnerable | Not Needed |
| Nodegraph | All | Not Vulnerable | Not Needed |
| AutoML | All | Not Vulnerable | Not Needed |
| Qlik Catalog | All | Not Vulnerable | Not Needed |
| Blendr | All | Not Vulnerable | Not Needed |
| Qlik Data Transfer | All | Not Vulnerable | Not Needed |
| Salesforce and SAP Connectors are not affected | All | Not Vulnerable | Not Needed |
| Qlik Forts | All | Not Vulnerable | Not Needed |
| ODBC Connector Package | All | Not Vulnerable | Not Needed |
| REST Connectors | All | Not Vulnerable | Not Needed |
| Qlik Sense Business | All | Not Vulnerable | Not Needed |
| GeoAnalytics | All | Vulnerable | Mitigated |
| GeoAnalytics Plus | All | Vulnerable | Mitigated |
| Compose for Data Lakes | 6.6 | Vulnerable | Mitigated |
| Compose for Data Warehouses | 6.6, 6.6.1, 7.0 | Vulnerable | Mitigated |
| Compose versions | > 2021.2 | Vulnerable | Mitigated |
| Enterprise Manager | See below | Vulnerable | Mitigated |
| Replicate | See below | Vulnerable | Mitigated |
| Qlik Catalog | > May 2021 | Vulnerable | Mitigated |
List of Products that are not affected by Log4j Vulnerability
- Qlik Sense Enterprise, all supported versions
- Qlik Sense Enterprise SaaS
- QlikView, all supported versions
- Nprinting, all supported versions
- Qlik Alerting, all supported versions
- Qlik Web Connectors, all supported versions
- Qlik RepliWeb and ARC, all supported versions
- AIS, including ARC, all supported version
- Nodegraph
- AutoML
- Qlik Catalog supported versions before May 2021 are not affected
- Blendr
- Qlik Data Transfer
- Salesforce and SAP Connectors are not affected
- Qlik Forts
- ODBC Connector Package
- REST Connectors
- Qlik Sense Business
Mitigation steps are only a temporary measure and the patches won’t be ready till late December 2021 or early January 2022 as per the advisory here – https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368
| Product and Version | Patch Includes | Date Available |
| Compose 2021.8, 2021.5 and 2021.2 | Log4J Upgrade to 2.16.0 | Late December |
| C4DW 7.0, 6.6.1 & 6.6 | Log4J Upgrade to 2.16.0 | Early January |
| C4DL 6.6 | Log4J Upgrade to 2.16.0 | Early January |
| Replicate 2021.11, 2021.5 | Log4J Upgrade to 2.16.0 | Late December |
| Replicate 7.0, 6.6 | Log4J Upgrade to 2.16.0 | Early January |
| QEM 2021.11, QEM 2021.5 | Log4J Upgrade to 2.16.0 | Late December |
| QEM 7.0, 6.6 | Log4J Upgrade to 2.16.0 | Early January |
| Catalog 4.12.2, 4.11.2 & 4.10.3 | Log4J Upgrade to 2.16.0 | January |
| GeoAnalytics Server – 4.32.3 | Log4J Upgrade to 2.16.0 | Late December |
| GeoAnalytics Server – 4.27.3 – 4.19.1 | Log4J Upgrade to 2.16.0 | Late December |
| GeoAnalytics Plus – 5.31.1 | Log4J Upgrade to 2.16.0 | Published |
| GeoAnalytics Plus – < 5.30.1-5.29.4 | Log4J Upgrade to 2.16.0 | Late December |