Qlik believes Data Catalog is vulnerable to CVE-2022-22965 and CVE-2022-22950. Existing versions, prior to Feb 2022 SR2, can be mitigated by downgrading the version of Java being used to JDK 8.
- First, verify Java 11 is actually in use (adjust path as necessary):
$ cat /usr/local/qdc/apache-tomcat-9.0.56/bin/setenv.sh | grep JAVA_HOME
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
- For CentOS and Red Hat (RHEL), where the "yum" package manager is used, install JDK 8: $ sudo yum install -y java-1.8.0-openjdk-devel
Verify the install: $ ls -la /etc/alternatives/java_sdk_1.8.0/
Update /usr/local/qdc/apache-tomcat-9.0.56/bin/setenv.sh
Change the line with JAVA_HOME: export JAVA_HOME=/etc/alternatives/java_sdk_1.8.0
- For Ubuntu, where the "apt" package manager is used, install JDK 8: $ sudo apt-get install openjdk-8-jdk
Verify the install: $ ls -la /usr/lib/jvm/java-8-openjdk-amd64/
Update /usr/local/qdc/apache-tomcat-9.0.56/bin/setenv.sh –
Change the line with JAVA_HOME: export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64
- Restart Tomcat and verify JDK 8 log output in /usr/local/qdc/apache-tomcat-9.0.56/logs/catalina.out:
01-Apr-2022 18:47:31.800 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre
01-Apr-2022 18:47:31.800 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
References:
https://developers.redhat.com/blog/2018/12/10/install-java-rhel8#switching_java_versions
https://docs.datastax.com/en/jdk-install/doc/jdk-install/installOpenJdkDeb.html
