During our company's auditing, we have been alerted to several vulnerabilities in the embedded Java VM for Replicate v2024.11.0.177

https://nvd.nist.gov/vuln/detail/CVE-2024-21235

https://nvd.nist.gov/vuln/detail/CVE-2024-21208

https://nvd.nist.gov/vuln/detail/CVE-2024-21217

https://nvd.nist.gov/vuln/detail/CVE-2024-21211

https://nvd.nist.gov/vuln/detail/CVE-2024-21210

Is there a newer version of Replicate that addresses these? If not, what is the recommended path to fix these vulnerabilities?

Resolution

To resolve the Issue, upgrade OpenJDK to version 17.0.13 or later or upgrade Replicate to version 2025.5. 

Upgrade only Java while keeping your current Replicate version 24.11

1. Upgrade to a minor version (e.g., 17.0.X), not a major version, to maintain compatibility. 
2.  Important Instructions: Test the Java upgrade in a Replicate test environment first.
3. Create a backup before proceeding with the Java upgrade.

You should upgrade to a Java version that addresses the CVE (JAVA version 17.0.14+7), but not a major version. Alternatively, download any other relevant JRE binaries. 

Manual steps to update the JRE for Replicater

1. Download JRE binaries to Replicate host.
   you can download JRE binaries from: https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.12%2B7 
   Example: ( OpenJDK17U-jre_x64_windows_hotspot_17.0.13_11.zip)
2. Stop Replicate services.
3. Backup <product dir>\jvm directory.
   For instance:  C:\Program Files\Attunity\Replicate\jvm
4. Remove <product dir>\jvm directory.
5. Extract the JRE binaries you have downloaded to <product dir>\jvm directory and make sure <product dir>\jvm\bin\java.exe exist (usually there is a parent directory with a naming convention 'jdk-<jre version>-jre' when extracting the JRE binaries, make sure to copy all it's subdirectories and files to <product dir>\jvm)
   For instance, if you download the directory  OpenJDK 17U-jre_x64_windows_hotspot_17.0.13_11, it has a sub-directory  jdk-17.0.13+11-jre.
6. Copy from the backed up jvm directory the following files: 
   <jvm backup>\conf\security\java.security  
   <jvm backup>\conf\security\java.security.default 
   <jvm backup>\conf\security\java.security.FIPS 
   To Replicate's jvm directory: 
   <product dir>\jvm\conf\security\java.security 
   <product dir>\jvm\conf\security\java.security.default 
   <product dir>\jvm\conf\security\java.security.FIPS
7. Start Replicate services.

The steps are similar for Replicate on Windows or Unix.

Cause

Defects: CVE-2024-21235;CVE-2024-21208;CVE-2024-21217;CVE-2024-21211;CVE-2024-21210

Environment

Qlik Replicate 

When a task is processing CDC data, the internal replicate engine uses "Linux iconv" API to convert the incoming delta records. If the conversion fails, following warning and error is displayed in the logs:

2025-07-09T06:44:56:68127[SERVER W: Conversion error 84,CodepageFrom=943, CodepageTo=65001, insize=16, output='', outSize=99(str.c:509)

2025-07-09T06:44:56:70391[SOURCE_CAPTURE]E: Error converting column 'column name' in table 'table name' to UTF8 using codepage 943 [1020112](db2luw_endpoint_capture.c:1321)

2025-07-09T06:44:56:70414[ASSERTION]W:The problematic column value: 

7f7a040a921a: 834F838A815B8358834183628376FCFC | .O...[.X.A.b.v..

7f7a040a922a: 8140814081408140814081408140| .@.@.@.@.@.@.@

(db2luw_endpoint_capture.c:1323)

Resolution

1. Convert the data to hexadecimal and identify the characters that cannot be converted and remove those.
2. Reload the table

Cause

The change data converted to hexadecimal contained character value "FCFC", which could not be converted to Unicode.

To validate whether the issue is caused by the data itself, we can also use third-party tool such as DBeaver to check if throws the same error when selecting the data from source DB.

Environment

Qlik Cloud 

When upgrading to Qlik Talend Studio R2025-06v3 or later tSnowflakeRow with Snowflake-jdbc-driver-3.22.0 that uses the function LAST_QUERY_ID() in command always returns “Alter session set JDBC_USE_SESSION_TIMEZONE=false” instead of the the correct query id（query id last query ran）as a result. 

Resolution

To have LAST_QUERY_ID() return the last query and not the alter session query, it is required to modify the command to use LAST_QUERY_ID(-2).

For example: 

Select query used in tSnowflakeRow component

 "SELECT LAST_QUERY_ID() as LAST_QUERY_ID(-2);"

Cause 

In Studio R2024-04, a new checkbox "Use Session Timezone" was added to the tSnowflakeInput and tSnowflakeRow components. The default value is unchecked (Alter session set JDBC_USE_SESSION_TIMEZONE=false) to avoid Snowflake regression issue Incorrect timezone handling for java.sql.Time, However this does bring the side effect of snowflake functions like LAST_QUERY_ID() returning the wrong value.

Related Content

2025-04-studio-known-issues for 'Use Session Timezone' option in the Snowflake components

Environment

Talend Data Integration 

After upgrading to Remote Engine 2.13.13, when enabling the option to execute a job from Studio on a remote engine, the process fails due to SSL and PKCS-related errors.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

SSL Configuration for Talend Studio to Connect with Remote Engine

1. Retain the Keystore and Truststore Passwords Generated During Installation

   During the installation of Talend Remote Engine, SSL credentials are automatically generated. To retrieve the keystore password, execute the following command:

   cat /opt/TalendRemoteEngine/bin/sysenv

   and locate the line

   TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD=<PASSWORD>

2. Required Keystore and Truststore Files

   The following files are necessary for secure communication between Talend Studio and the Remote Engine:

   /opt/TalendRemoteEngine/etc/keystores/jobserver-client-keystore.p12
   /opt/TalendRemoteEngine/etc/keystores/jobserver-client-truststore.p12 (Truststore file added with RE 2.13.13)

   Transfer these files to your Talend Studio workstation and store them in a dedicated folder.

3. Configure Talend Studio to Use SSL

   Edit the Studio startup configuration file, depending on your operating system:

   • For Linux (x86_64): studio/Talend-Studio-linux-gtk-x86_64.ini
   • For ARM architecture: studio/Talend-Studio-gtk-aarch64.ini  
   • For Windows: Talend-Studio-win-x86_64.ini
4. Add the following JVM options to the configuration file, and adjust the file paths and password values accordingly:

       -Dorg.talend.remote.client.ssl.force=true
       -Dorg.talend.remote.client.ssl.keyStore=path_to_keystore/jobserver-client-keystore.p12
       -Dorg.talend.remote.client.ssl.keyStoreType=PKCS12
       -Dorg.talend.remote.client.ssl.keyStorePassword=<password_from_step_1>
       -Dorg.talend.remote.client.ssl.keyPassword=<password_from_step_1><
       -Dorg.talend.remote.client.ssl.trustStore=path_to_truststore/jobserver-client-truststore.p12
       -Dorg.talend.remote.client.ssl.trustStoreType=PKCS12
       -Dorg.talend.remote.client.ssl.trustStorePassword=<password_from_step_1>
       -Dorg.talend.remote.client.ssl.disablePeerTrust=false
       -Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
      

Cause 

Talend Remote Engine enforces SSL communication by default, ensuring that all interactions with the engine are encrypted. If Studio does not have the appropriate certificates installed, it will be unable to establish a secure connection with the Remote Engine.

Environment

• Talend Studio 
• Talend Cloud 

In processing step, under Lineage, you may unable to select the "Allow Lineage collection of this task" check box to enable it when creating  or editing your task in Talend Management Console.

Resolution

To verify your Qlik Talend Cloud License Type

1. Open the Qlik Talend Management Console
2. Go to Subscriptions Tab
3. Go to License Type

Cause

The reason of "Allow Lineage collection of this task" option is not visible when creating tasks in Qlik Talend Management Console is due to the type of license currently in use. The Lineage feature is only available with the Qlik Talend Cloud Enterprise Edition or Qlik Talend Cloud Premium Edition licenses.

Related Content

For more details please find the links below

• Enabling-lineage-collection
• Subscription-options-QTC.htm

Environment

• Talend Cloud 
• Talend Studio 

For Qlik Talend On-premises Solution, when using global context values in all jobs, If you want to change the file path values to replace d:/ with t:/, you can propagate the change to all jobs in the Studio.

 
How about Qlik Talend Cloud and Hybrid Solutions? This article provides a brief introduction to changing the value of context parameters and propagating the change to all Tasks in Talend Cloud.

How To

You can use this API to update artifact parameters

Put https://api.eu.cloud.talend.com/orchestration/executables/tasks/{taskid}

In the body, set the paramters you want to update:

Example: change the ContextFilePath": from "C:/Franking/in.csv" to  "h:/Franking/in.csv")

{
 "name": "contextpath",
 "description": "CC",
 "workspaceId": "61167bef18d7d656bfae071d",
"artifact": {
   "id": "689b5d04febbe74489779c31",    
   "version": "0.1.0.20251208032554"
 },
 "parameters":{
"ContextFilePath": "h:/Franking/in.csv"
}
}

To maintain context values better in the long run for multiple jobs, create a Connection in Talend Cloud. This way, all context in the job can be updated by updating the file name in the Qlik Talend Management Console Connection as opposed to running the API multiple times. For information on how to set up a connection, see Managing connections.

Environment

• Talend Cloud 
• Talend Studio 

If using the tap-shopify connector in Stitch for the orders stream, you may encounter the following error:

"An error occurred with the GraphQL API"

Resolution

To resolve the error:

• Adjust Anchor/Extraction Time
  Change the extraction time to avoid overlap with any existing bulk operation.
• Use a Single Stitch Connection per Shopify Store
  This minimizes the chance of simultaneous extractions that can trigger the error.
• Check for Other Tools Using Shopify Bulk API
  If other platforms or integrations are pulling data from Shopify, co-ordinate schedules to prevent conflicts.
  
  

Cause

Why This Happens

This is a Shopify platform constraint, not a Stitch limitation.

The Shopify Bulk API has an important restriction that only one bulk operation per type (e.g., orders) can run at a time per shop.

This means: If a bulk job is already running, any new request of the same type will fail. Overlapping jobs from multiple Stitch connections or other platforms can trigger this error.

When You Might See This Error

You may encounter this message if:

• A previous bulk operation hasn’t completed.
• Multiple Stitch connections are extracting from the same Shopify shop.
• Another platform or integration is using Shopify’s Bulk API at the same time.

Related Content 

Shopify Bulk API Documentations:
https://shopify.dev/docs/api/usage/bulk-operations/queries#limitations
Bulk operations with the GraphQL Admin API 

Environment

Stitch 

When migrating a web service job from Talend Studio 7 to Talend Studio 8, the job fails to run in Talend 8 with Java 17, which was previously executed successfully under Java 8 or Java 11.

 The execution is failing with the error:

The package javax.xml.namespace is accessible from more than one module: <unnamed>, java.xml

Resolution

Upon detailed review, it is identified that a Code → Routine Utility Class referencing third-party JARs (such as jaxrpc and xpp3) includes the javax.xml related package which causes a module conflict.
To resolve the conflict, these JARs should either be removed from the project’s library references or modified to exclude the javax.* package, thereby preventing duplication with the JDK provided java.xml module.

Cause

This seems to be related to Java module conflicts introduced in Java 9 and above. In Talend 8, the job runtime relies on Java 17, which appears to be incompatible with the way certain XML packages were handled in the earlier environment. 

This error message indicates that the same package is being loaded from multiple sources. In this context, it means there is a duplicate JAR reference in the job design. 

Potatial Causes

• Within tLibraryLoad components
• Under Code → Routine → Edit Routine Libraries
• Under third-party components referenced JARs

Since Java 9, the JDK already includes the java.xml module, which contains the javax.xml.namespace package. If third-party JARs also provide this package, it causes a module conflict.

Environment

• Talend Studio 
• Talend Data Integration 

You may be expericening the following compilation error in your talend ESB route cJMS component with "WebSphare MQ" when migrating from v7 to Talend v8-R2025-06.

The method jmsComponent(JmsConfiguration) in the type JmsComponent is not applicable for the arguments (ConnectionFactory)

Resolution

Use the studio patch v8-R2025-08 which contains updated javajet file and README with details of installation process.

Cause

The code generator for cJMS with "WebSphare MQ" component is still using  javax.jms.ConnectionFactory in talend studio, which is not aligned with camel-jms (Camel 4.8.1) that is using jakarta.jms.ConnectionFactory connection Factor.

Related Content 

https://javadoc.io/doc/org.apache.camel/camel-jms/4.8.1/org/apache/camel/component/jms/JmsComponent.html

Internal Investigation ID(s) 

Internal Jira case ID: QAPPINT-1661

Environment

Talend ESB 

The following error is found in log when working on a Git project in Talend Studio:

org.talend.commons.exception.CommonExceptionHandler - Branches configuration is out of sync, can't find the specified branch ****, will try to recover it using it's remote branch. 

Resolution

In order to fix this, please modify the remote repository as well.
For example, if you delete the branch on Talend Studio, please delete it from the remote repository as well.
If you are using Github, it would mean deleting the branch on Github from the following link:

https://github.com/[repository name]/branches

or using Git command tools like Git Bash to delete the branch from the remote repository.

Cause

The git branch structure in Talend Studio does not match the repository in the actual Git repository.
This usually occurs when you modify the branch in the local project, but it is not modified the same way in the remote repository.

Environment

Talend Studio 

You may be facing the error as below when trying to run a job (ESB) in Talend Studio.

 "Too many constants the constant pool for **** would exceed 65536 entries" 

Resolution

In order to avoid this, you can re-design your job and use a separate job to handle some of the job flow or use dynamic-schema

For example, you can use tRunJob component and put some part of the job flow into another job.

Cause

As mentioned in the error message, there are too many constants being used for the job code.
The java code has a limit of 65536 entries, and this usually occurs when there are too many components being used in one job or too many columns in the schema. 

Related Content 

If you are receiving an error that is related to the 65535 bytes limit, but the error message is different, please refer to this documentation:
How to prevent errors in code generation caused by the 65535 bytes limit

Environment

• Talend Studio 
• Talend Data Integration 

When configuring a Google Analytics integration in Stitch, users can define custom combinations of metrics and dimensions. However, there are two common issues that may arise:

Question

I need to read data from a DB2 database and the field type is defined as CHAR () FOR BIT DATA. When I create the connection in Talend metadata and try and view the data, it appears as HEX. Using something like DBeaver I can see the data. How can I get Talend to read the data correctly?

Tools like DBeaver automatically cast data types. To get the same result before processing in a component, add this to your SQL statement:

SELECT CAST(your_column AS VARCHAR(100) CCSID 37) AS utf8_col  FROM your_table

CCSID 37 is US EBCDIC, used by IBM AS/400. 

Related Content

See a table here: 

https://www.cs.umd.edu/~meesh/cmsc311/clin-cmsc311/Lectures/lecture6/ebcdic.html

Environment

• Talend Studio 
• Talend Data Integration 

A Talend Spark Stream Job configured with Yarn cluster mode and Kerberos enabled is encountering issues and failing to execute, presenting the following errors: 

YarnClusterScheduler- Lost executor 3 on me-worker1.xxx.co.id: Unable to create executor due to Unable to register with external shuffle server due to : java.lang.IllegalStateException: Expected SaslMessage, received something else (maybe your client does not have SASL enabled?)

jaas.conf content =
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/tmp/adm.keytab"
principal="cld_adm@XXX.CO.ID"
doNotPrompt=true;
};

KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/tmp/adm.keytab"
principal="cld_adm@XXX.CO.ID"
doNotPrompt=true;
};

Cause

The external shuffle service within YARN is configured to mandate SASL authentication; however, the Spark executor is either improperly configured to use SASL or is transmitting an incompatible message.

Common causes includes:

1. The absence or inaccuracy of SASL configuration in either spark-defaults.conf or YARN's configuration file (yarn-site.xml).
2. A version discrepancy between Spark and YARN, where the shuffle service necessitates a particular SASL protocol unsupported by the Spark client.
3. Improper security configurations, including the omission of Kerberos credentials or incorrect settings for spark.authenticate and associated properties.

This error results in the executor's failure to register with the shuffle service, prompting the YarnClusterScheduler to mark it as lost.

Resolution

Ensure that the external shuffle service is enabled, and that the SASL settings are in accordance with YARN's configurations:

spark.authenticate true
( #not necessary 
spark.network.crypto.enabled true
spark.network.crypto.saslFallback true
)

Environment

• Talend Data Integration 

When passing parameters from postman to a talend services, tRestRequest component is receiving null response.

Resolution

Review the schema of the tRestRequest component to ensure the Comment field is appropriately assigned.  

In REST API Mapping section, by default, if you leave the Comment field empty, the parameter is considered as a Path parameter.

Cause

There are some parameters missing/misconfiguring in the Comment field of tRestRequest component and you need to define what type of parameter it is in the Comment field of the schema.

Below is a list of supported Comment values:

• empty or path corresponds to the default @PathParam,

• query corresponds to @QueryParam,

• form corresponds to @FormParam,

• header corresponds to @HeaderParam.

• matrix corresponds to @MatrixParam.

• multipart corresponds to the CXF specific @Multipart, representing the request body. It can be used only with POST and PUT HTTP methods.

Related Content 

https://help.qlik.com/talend/en-US/components/8.0/esb-rest/trestrequest

Environment

Talend Data Integration 

When attempting to build a set of items (jobs, routes, services, etc) from a parent project with a reference project, Maven and the P2 may only see the items in the parent. Additionally, there may be errors of certain items (child jobs, routines, etc) missing during different stages of the build; such as (but not limited to the following):

org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project <project_name>: Could not resolve dependencies for project org.example.<project_name>.job:<job_name>:jar:0.1.0: The following artifacts could not be resolved: org.example.<reference_project>.joblet:<joblet_name>:pom:0.1.0 (absent)

Resolution

When the YAML or Pipeline scripts being used with the orchestrator, Talend CICD may need to be modified, so that the parent and reference projects are checked out and copied into one folder. This process may depend on the orchestrator used (such as Jenkins/Cloudbees, Azure DevOps, Gitlab Actions, etc); for specific information, please check with your DevOps team for specific commands and process.

In short, the process should look similar to the following:

1. Check out repository/branch where the reference project is located.
2. Check out repository/branch where the parent project is located.
3. Copy the reference project folder into a new folder, usually within the same working directory.
4. Copy the parent project folder into the same folder as the reference project.
5. Delete/Clean the original checked out folders from the working directory.

Cause

Most YAML or Pipeline scripts are setup to pull and checkout from one repository/branch; however, if a Reference Project is being used, it does require that repository/branch also be pulled down. If the reference project is not copied into the same folder as the parent project, Maven/Talend may only see the parent project checked out without reference project.

Environment

• Talend Data Integration 
• Talend Studio 

Question

After upgrading Talend Administration Center (TAC) to TPS-5612 (R2024-12) or later, why do the four MetaServlet commands createBranch, branchExist, createTag and deleteBranch not work as before and throw the error like below?

{"error":"Unknown command 'branchExist'","returnCode":2}

With the release of Talend Administration Center patch TPS-5612, project references and Git access have been removed from Talend Administration Center to improve the performance.

The following elements have been removed:

• Metaservlet commands: createBranch, branchExist, createTag and deleteBranch.
• Metaservlet parameters:
  • loadAllBranchAndTag for listProjects command
  • withReference for getProjectById and listProjects commands: Reference, repositoryState, references, or gitPassword do not exist anymore.
  • defaultBranch for createProject parameter
• Project References page
• Git connection check in Configuration and Project pages
• Branch management
• Reference checkbox and Check connection button in the project form
• Reference/warning column in the project grid
• Clone repository when saving/deleting projects
• Configuration properties: svn.itemListsCachesSize, svn.whiteListBranches.enable, git.project.connection.check.timeout and git.whiteListBranches.enable.
• Add Lock will not verify if the branch exists.

Related Content

This is documented in the change notes here: https://help.qlik.com/talend/en-US/release-notes/8.0/r2024-12-administration-center

Environment

• Talend Data Integration 
• Talend Administration Center 

You may be experiencing a ClassCastException error with the tHTTPClient component during an HTTP call.

java.lang.LinkageError: ClassCastException

Resolution

You can resolve this by changing the "Version" parameter in the .POM file to the proper version:

<dependency>

            <groupId>org.apache.httpcomponents</groupId>

            <artifactId>httpclient</artifactId>

            <version>4.3.3</version>

        </dependency>

Cause 

This is caused by the HTTP Client used in the .POM file: 

Related Content 

customizing-project-pom-settings

Environment

• Talend Studio 
• Talend Data Integration 

You may have a job that was designed with several tRunJobs components and are supposed to use the context group values from the parent job.

While the job itself runs well within Studio with no issues and publishing is just fine, the job may fail when deployed to a Remote Engine via TMC. There error found within the task logs may show something, such as

Error locating <insert resource>, not found

Resolution

You should make sure to seclect “Transmit Whole Context" checkbox if the child job is supposed to use the parent job's context values.

Cause

When you are using multiple tRunJobs components, the child jobs need to use the context group values from the parent job. If the “Transmit Whole Context” option is not enabled in the tRunJob component setting, the child jobs will attempt to use it's own context group, which could be wrong values for your environment. Issue may be in some cases that the correct contexts were not being transmitted to a child job.

Related Content 

trunjob-standard-properties

Environment

• Talend Studio 
• Talend Cloud 

In Talend tDBInput component,  CLOB data types can not be handled properly when you are attempting to ingest data from source DB2 to Target one.

This article briefly introduces how to properly handle CLOB data types when ingesting from DB2 to Target using Talend.

How To

1. Write a Utils class ClobUtils with the method getClobAsString under Code-> Global Routines
   You can create your own routines according to your particular factorization needs.
   For more information, please check qlik Help Documentation about: Creating user routines
2. Use this Utils in tMap/tJavaRow component : ClobUtils.getClobAsString(row1.C1)
   You can call any function in any of the system and user routines from your Job components in order to run them at the same time as your Job. Please check Help Documentation about: Calling-routine-function-from-job

The code below is a scratch version that needs testing and rewriting.

Use this as an example to study:

==Example code: ===
package routines;
import java.sql.Clob;
import java.sql.SQLException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.io.IOUtils;
package routines;
import java.sql.Clob;
import java.sql.SQLException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.io.IOUtils;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringWriter;
import java.lang.String;
public class ClobUtils {
    public static String getClobAsString(Object obj) {
        String out = null;
        if (obj != null && obj instanceof Clob) {
            out=getClobAsString((Clob) obj);
        } else {
            Logger.getLogger("ClobUtils").log(Level.FINE, "null value");
        }
        return out;
    }
    public static String getClobAsString(Clob clobObject) {
        String clobAsString = null;
        if (clobObject != null) {
            long clobLength;
            try {
                clobLength = clobObject.length();
                if (clobLength <= Integer.MAX_VALUE) {
                    clobAsString = clobObject.getSubString(1, (int) clobLength);
                } else {
                    InputStream in = clobObject.getAsciiStream();
                    StringWriter w = new StringWriter();
                    IOUtils.copy(in, w, "UTF-8");
                    clobAsString = w.toString();
                }
            } catch (SQLException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        return clobAsString;
    }
}

Related Content

• https://stackoverflow.com/questions/2169732/most-efficient-solution-for-reading-clob-to-string-and-string-to-clob-in-java
  
  
• https://www.baeldung.com/java-string-character-large-object-conversion

Environment

• Talend Studio 
• Talend Data Integration