List of Qlik products affected by Log4j Vulnerability

Qlik has a wide range of products and it seems some of the products have been affected by Log4j Vulnerability and for those products the patches will come either in December or in late January as per the Qlik Security advisory. Nearly 10 of their products have been affected by Log4j and as of know, customer have been asked to take the mitigation steps mentioned below

ProductVersionStatusPatched
Qlik Sense Enterprise, all supported versionsAllNot VulnerableNot Needed
Qlik Sense Enterprise SaaSAllNot VulnerableNot Needed
QlikView, all supported versionsAllNot VulnerableNot Needed
Nprinting, all supported versionsAllNot VulnerableNot Needed
Qlik Alerting, all supported versionsAllNot VulnerableNot Needed
Qlik Web Connectors, all supported versionsAllNot VulnerableNot Needed
Qlik RepliWeb and ARC, all supported versionsAllNot VulnerableNot Needed
AIS, including ARC, all supported versionAllNot VulnerableNot Needed
NodegraphAllNot VulnerableNot Needed
AutoMLAllNot VulnerableNot Needed
Qlik CatalogAllNot VulnerableNot Needed
BlendrAllNot VulnerableNot Needed
Qlik Data TransferAllNot VulnerableNot Needed
Salesforce and SAP Connectors are not affectedAllNot VulnerableNot Needed
Qlik FortsAllNot VulnerableNot Needed
ODBC Connector PackageAllNot VulnerableNot Needed
REST ConnectorsAllNot VulnerableNot Needed
Qlik Sense BusinessAllNot VulnerableNot Needed
   GeoAnalyticsAllVulnerableMitigated
GeoAnalytics PlusAllVulnerableMitigated
Compose for Data Lakes6.6VulnerableMitigated
Compose for Data Warehouses6.6, 6.6.1, 7.0VulnerableMitigated
Compose versions> 2021.2VulnerableMitigated
Enterprise Manager See belowVulnerableMitigated
ReplicateSee belowVulnerableMitigated
Qlik Catalog> May 2021VulnerableMitigated
https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368

List of Products that are not affected by Log4j Vulnerability

  • Qlik Sense Enterprise, all supported versions
  • Qlik Sense Enterprise SaaS
  • QlikView, all supported versions
  • Nprinting, all supported versions
  • Qlik Alerting, all supported versions
  • Qlik Web Connectors, all supported versions
  • Qlik RepliWeb and ARC, all supported versions
  • AIS, including ARC, all supported version
  • Nodegraph
  • AutoML
  • Qlik Catalog supported versions before May 2021 are not affected
  • Blendr
  • Qlik Data Transfer
  • Salesforce and SAP Connectors are not affected
  • Qlik Forts
  • ODBC Connector Package
  • REST Connectors
  • Qlik Sense Business

Mitigation steps are only a temporary measure and the patches won’t be ready till late December 2021 or early January 2022 as per the advisory here – https://community.qlik.com/t5/Support-Updates-Blog/Vulnerability-Testing-Apache-Log4j-reference-CVE-2021-44228-also/ba-p/1869368


Product and VersionPatch IncludesDate Available
Compose 2021.8, 2021.5 and 2021.2Log4J Upgrade to 2.16.0Late December
C4DW 7.0, 6.6.1 & 6.6Log4J Upgrade to 2.16.0Early January
C4DL 6.6Log4J Upgrade to 2.16.0Early January
Replicate 2021.11, 2021.5Log4J Upgrade to 2.16.0Late December
Replicate 7.0, 6.6Log4J Upgrade to 2.16.0Early January
QEM 2021.11, QEM 2021.5Log4J Upgrade to 2.16.0Late December
QEM 7.0, 6.6Log4J Upgrade to 2.16.0Early January
Catalog 4.12.2, 4.11.2 & 4.10.3Log4J Upgrade to 2.16.0January
GeoAnalytics Server – 4.32.3Log4J Upgrade to 2.16.0Late December
GeoAnalytics Server – 4.27.3 – 4.19.1Log4J Upgrade to 2.16.0Late December
GeoAnalytics Plus – 5.31.1Log4J Upgrade to 2.16.0Published
GeoAnalytics Plus – < 5.30.1-5.29.4Log4J Upgrade to 2.16.0Late December

Scroll to Top