topic Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208 in Qlik Replicate

Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Mon, 04 Sep 2023 09:39:20 GMT

Hi,

Our security team run a security scan over this replicate server with version 2022.11.0.208 and found the fact this java version is vulnerable by some CVE issues.

I´ve found this question related to this issue,

https://community.qlik.com/t5/Official-Support-Articles/Question-regarding-Qlik-Replicate-and-a-Java-SE-Vulnerability/ta-p/2035633

and the official answer is just upgrade java within the same server and no qlik replicate upgrade is needed. But in our server we only have the replicate java running, no other java is installed on this server.

That means just replace the binaries under folder /opt/attunity/replicate/jvm/ ?

Thanks.

How to do that in a stable way?

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

john_wang — Tue, 05 Sep 2023 04:13:44 GMT

Hello @danielrf ,

Welcome to Qlik Community forum and thanks for reaching out here!

In general the steps should be:

1. Stop Replicate tasks manually

2. Stop Replicate Services

3. Rename the folder /opt/attunity/replicate/jvm/ (for example to "jvm.11.0.14")

4. Paste higher version (eg 11.0.17) "jvm" folder the same location (for example /opt/attunity/replicate/jvm/)

5. Startup Services and check if all works as expected

6. RESUME tasks

I'd like to suggest getting the version 11.0.17 jvm folder by a fresh installation on a standalone machine, for example download Replicate May 2023 SR1. Please conduct careful acceptance test on lower environment prior to implement on PROD system.

Feel free to let us know if you need any additional assistance.

Regards,

John.

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Thu, 07 Sep 2023 15:10:01 GMT

Hi John,

Thanks for your fast response!

Our security team adviced to install jvm 11.0.20 or greater but the qlik replicate version may 2023 comes with the 11.0.17 . still vulnerable...

So I think you need to open an issue to upgrade the jvm to a secure java version (upper or equal to 11.0.20)

$ /opt/attunity/replicate/jvm/bin/java --version
openjdk 11.0.17 2022-10-18
IBM Semeru Runtime Open Edition 11.0.17.0 (build 11.0.17+8)
Eclipse OpenJ9 VM 11.0.17.0 (build openj9-0.35.0, JRE 11 Linux amd64-64-Bit Compressed References 20221031_559 (JIT enabled, AOT enabled)
OpenJ9 - e04a7f6c1
OMR - 85a21674f
JCL - a94c231303 based on jdk-11.0.17+8)

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

john_wang — Sat, 09 Sep 2023 06:38:40 GMT

Hello @danielrf ,

Thanks for your feedback.

Qlik Replicate 2023.5 (GA - SP03) contains JVM 11.0.17. This is the latest official certified JVM version up to today. The higher versions JVM (includes 11.0.19, 11.0.20.1) works for me with Replicate 2022.11 on Linux and Replicate 2023.5 on Windows. however these are our support team internal smoking tests only, this is not Qlik R&D official QA Tests. We'd like to suggest:

1- Implement certified JVM version 11.0.17 at PROD system at present; or

2- Open Feature Request and ask for higher versions certification; however it takes time, and Qlik may not could release JVM certificated versions frequently. or,

3- Replace JVM folder with latest build , v11.0.20.1 and conduct careful acceptance test at lower env, implement it at PROD system after all the items pass test successfully at UAT/TEST env.

The JVM used in our tests:

[root@CentOS85 bin]# ./java -version
openjdk version "11.0.20.1" 2023-08-24
IBM Semeru Runtime Open Edition 11.0.20.1 (build 11.0.20.1+1)
Eclipse OpenJ9 VM 11.0.20.1 (build openj9-0.40.0, JRE 11 Linux amd64-64-Bit Compressed References 20230824_836 (JIT enabled, AOT enabled)
OpenJ9 - d12d10c9e
OMR - e80bff83b
JCL - 0880e8df04 based on jdk-11.0.20.1+1)

Regards,

John.

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Tue, 10 Oct 2023 09:42:00 GMT

Hi John,

Thanks for your suggestions, we will follow your advice.

How can I open a feature request for that? I can not find the way to do that.

Thanks again.

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

SushilKumar — Tue, 10 Oct 2023 09:56:41 GMT

Hello Team,

To get started please see our article: "Getting Started with Ideas": https://community.qlik.com/t5/Ideation/ct-p/qlik-product-insight

You will be required to have a Qlik ID to log on to the Community which is not the same as your support portal login. If you have previously registered for a Qlik ID such as the one you use to access the downloads site, you can use the same to log on for the Community. The first-time accessing Community with a Qlik idea will prompt for a username alias to be used when posting to the Community. This alias is not a logon but for display purposes when posting. You can register at the login screen if you do not have a Qlik ID. The Ideas blog post will provide information on how to use the Ideas board and how to access it.

Thank you,

Sushil Kumar

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Tue, 10 Oct 2023 10:14:57 GMT

I am afraid that link doesnt work

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Tue, 10 Oct 2023 10:15:39 GMT

{"errors":[{"title":"State verification failed","detail":"State not valid, missing request forgery protection","code":"STATE-1","status":"401"}],"traceId":"0000000000000000f5f265c1aec5a3b8"}

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

SushilKumar — Tue, 10 Oct 2023 12:05:20 GMT

Hello Team,

Not Sure why it's not working for you. Could you please check once you logged in the community. as we normally share link post verification.

Check this link as well.

About Ideation | Qlik Community

Regards,

Sushil Kumar

Re: Java 11.0.14 vulnerable on Qlik Replicate Version 2022.11.0.208

danielrf — Wed, 11 Oct 2023 14:54:54 GMT

hi,

I think this page is an iframe embeded, and the security policy of my browser , handled by admins, is not allow iframes.