topic Re: Exposure to CVE-2022-42889 in Qlik Replicate

Exposure to CVE-2022-42889

vipulmisra — Fri, 28 Oct 2022 21:10:24 GMT

Hi Team,

Could you please confirm the impact of https://nvd.nist.gov/vuln/detail/CVE-2022-42889 on Qlik replicate

We are currently on version May 2021 (2021.5.0.1133)

Regards,

Vipul

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Fri, 28 Oct 2022 21:24:52 GMT

Hi @vipulmisra

The only place in QDI where apache.commons.text is used is in the Replicate Salesforce incremental-load JREP endpoint (salesforce-source-endpoint.jar). Neither Compose nor QEM use this library.

The library version currently used there is 1.9 and it is vulnerable. It should be changed to 1.10 in a future service release.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability. Hence, from Qlik perspective, the risk of this CVE for the QDI products is zero. As usual, Qlik will update this library in a service release.

Customers who are not using that endpoint can delete the salesforce-source-endpoint.jar so it does not come up in later scans.

Thanks,

Dana

Re: Exposure to CVE-2022-42889

adershb — Mon, 31 Oct 2022 16:06:47 GMT

Hello @Dana_Baldwin ,

We are using Replicate version 2021.5.0.1272 and QEM version May 2021 (2021.5.0.543). Could you please check and confirm is this version replicate and QEM affected with this security vulnerability CVE-2022-42889.

The end-points were are using are ;

source - Oracle and DB2 iSeries

target - Oracle.

Thanks,

Adersh

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Mon, 31 Oct 2022 16:23:33 GMT

Hi @adershb

As noted above, the only place in QDI where apache.commons.text is used is in the Replicate Salesforce incremental-load JREP endpoint (salesforce-source-endpoint.jar). Neither Compose nor QEM use this library.

Version 2021.5 uses the vulnerable version and it will be changed to 1.10 in a future service release of 2022.5 or later.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability. Hence, from Qlik perspective, the risk of this CVE for the QDI products is zero. As usual, Qlik will update this library in a service release.

If you are not using Salesforce incremental load endpoint, you can delete the salesforce-source-endpoint.jar so it does not come up in later scans.

Thanks,

Dana

Re: Exposure to CVE-2022-42889

adershb — Mon, 31 Oct 2022 16:35:12 GMT

Hello @Dana_Baldwin

Where is the location of salesforce-source-endpoint.jar file. You mean on Replicate server or on QEM server?

Thanks,

Adersh

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Mon, 31 Oct 2022 16:38:24 GMT

Hi @adershb

It is on the Replicate server, as noted QEM does not use this library. It is here:

Thanks,

Dana

Re: Exposure to CVE-2022-42889

adershb — Mon, 31 Oct 2022 16:42:03 GMT

Hi @Dana_Baldwin ,

I could see file arep-salesforce.jar in below location. Our Replicate server is Linux.
replicate-2021.5.0-1272/endpoint_srv/endpoints/Salesforce $

Thanks,

Adersh

Re: Exposure to CVE-2022-42889

adershb — Mon, 31 Oct 2022 16:58:50 GMT

Hi @Dana_Baldwin ,

Can you please confirm is it the same vulnerable file (mentioned above on Linux) and If so, for removing it, do we need to restart the replicate service on Linux (stop, remove .jar file and start).

Thanks,

Adersh

Re: Exposure to CVE-2022-42889

vipulmisra — Mon, 31 Oct 2022 17:03:20 GMT

Hi @Dana_Baldwin , we also see the same file arep-salesforce.jar in the Attunity/Replicate/endpoint_srv/endpoints/Salesforce folder

No other files.

Could you please confirm if this is the affected file?

Regards,

Vipul

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Mon, 31 Oct 2022 21:34:45 GMT

Hi @vipulmisra @adershb I am checking with my colleagues and will follow up.

Thanks,

Dana

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Tue, 01 Nov 2022 16:31:49 GMT

Hi @adershb

I see you also have a support case open for this - I've updated the case with this question so the support rep handling the case can research it with our internal support team.

Thanks,

Dana

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Tue, 01 Nov 2022 16:32:41 GMT

Hi @vipulmisra

Please open a support case for this question so we can confirm with our internal support team.

Thanks,

Dana

Re: Exposure to CVE-2022-42889

Adam_Herman — Wed, 02 Nov 2022 08:40:40 GMT

Hi @vipulmisra @adershb ,

Please see the attached screenshot showing the location of arep-salesforce.jar , which you can delete to avoid future scans from triggering

The location:
[root@replicate2 Salesforce]# ls -la
total 8100drwxrwxr-x. 2 attunity attunity 33 Aug 10 11:30 .drwxrwxr-x. 5 attunity attunity 50 Aug 10 11:30 ..-rwxrwxr-x. 1 attunity attunity 8290718 May 7 2021 arep-salesforce.jar
[root@replicate2 Salesforce]# pwd
/opt/attunity/replicate/endpoint_srv/endpoints/Salesforce
[root@replicate2 Salesforce]#

Let me know if that answers your question.

Kind Regards,
Adam

@Dana_Baldwin

Re: Exposure to CVE-2022-42889

Dana_Baldwin — Fri, 11 Nov 2022 22:32:21 GMT

Hi All,

Yes, arep-salesforce.jar is the equivalent file on Linux.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability.
Hence, from Qlik perspective, the risk of this CVE for QDI products is zero.

We have checked the arep-salesforce.jar in Replicate version 2021.5 and 2022.5 it doesn't contain StringSubstitutor class.

If you are not using the Salesforce endpoint, and would like to test removal of this file to ensure it does not have an adverse effect, please do so in a pre production environment and save a backup copy of the file.

Thanks,

Dana