Qlikview 11.2 Vulnerability discovered for Apache ... - Qlik Community

serber31 · ‎2021-12-20

Dear Sir/Madam,

Currently we are using Qlikview 11.2 (64 bit) desktop version.

We use it to load data from different origin:

- MS Access
- MS SQL Server
- MS Excel

If necessary, Could you please advise how do we mitigate the log4j vulnerability issue?
Appreciate your urgent response for this.
Thank you

Sergio

Maria_Halley · ‎2021-12-21

@serber31

I'm sorry, but we only test on supported versions of any Qlik Product. Testing all versions would not be feasible and we don't do any changes to unsupported versions.

serber31 · ‎2021-12-23

I tried to buy a new license for Qlikview ver.12.x but seems it is no longer available.

It is very strange because Qlikview ver.12.x is still available for download.

I checked with different Italian Qlik partner without results.

Do you have an idea?

Many thanks.
Sergio

marcus_sommer · ‎2021-12-23

Beside your outdated release there is no reason to assume that your QV release is related to the mentioned vulnerability because Qlik stated very early that the desktop from the current QV releases aren't involved because Apache Log4j isn't in use and AFAIK it wasn't before.

In regard to your data-sources you should look by Microsoft for further information. By standalone releases it will be quite unlikely but by cloud-release it might be.

- Marcus

serber31 · ‎2021-12-23

Hi Marcus,
many thanks for the information.
I am not sure that my version is not involved in Log4J vulnerability, beacuse only the product only the version supported has been classified as not affected.
So, as the version 11.2 is not included in the list, who can assure that is not vulnerable?

Thanks
Sergio

marcus_sommer · ‎2021-12-23

I doubt that anybody from Qlik will give an official statement to QV 11.2. Yes, my statement is a deduction from the statements to the current releases, the various release notes since 11.2 (I don't want to claim that I read all very carefully and could now remember everything but usually the major-changes reminds me to having read from it and in regard to Apache Log4j is nothing familiar) and what I have read for which usage Apache Log4j is aimed - which seemed not related to a desktop release.

This means I couldn't give a guarantee but I think it's very unlikely that your release is related to this vulnerability.

- Marcus

Maria_Halley · ‎2022-01-04

@serber31

This is one of the reasons it is important to keep your system up to date. When there are issues we will not test or fix anything in unsupported versions.

To upgrade you don't have to buy a new license. As long as your license is not expired, you are good to go. If your license has expired you should still be able to renew it.

serber31 · ‎2022-01-04

Hy Maria,

many thanks for your replay.
My licence is not expired.
The yearly maintenance support license is expired.
So, how can update QLik from 11.2 to 12.x version?
This operation seems impossible with a maintenance support license expired.
If is available another procedure, please share me it.
VBR
Sergio

Maria_Halley · ‎2022-01-10

@serber31

I am not sure what you mean with "license is not expired, but maintenance support is?"

QlikView 11.20 version is no longer under support, even with a valid license. You will have to upgrade.

Qlikview 11.2 Vulnerability discovered for Apache Log4j