Re: ECRScan on Replicate product - Qlik Community

gianlucasaturno · ‎2025-01-24

Hello,

We are using Amazon ECRScan to find security vulnerabilities on our system, we have discovered 7 CVE (CVE-2023-2976 CVE-2023-3635 CVE-2024-7254 CVE-2024-8184 CVE-2024-6763 CVE-2020-29582 CVE-2020-8908 CVE-2024-47535) inside Qlik Replicate product, the effected libraries are the following:

opt/attunity/replicate/java/arep-google-cloud.jar
opt/attunity/replicate/java/java_file_factory.jar
opt/attunity/replicate/endpoint_srv/externals/jetty-server-11.0.18.jar
opt/attunity/replicate/endpoint_srv/externals/kotlin-stdlib-1.6.0.jar
opt/attunity/replicate/java/arep-event-hubs.jar

Replicate version is November 2024, my questions/doubts are the following:

- Is it safe to assume that "arep-google-cloud.jar" is used exclusively for enpoint using Google Cloud as target/source and since we don't have those we can ignore the vulnerability/upgrade the library?

- Is it safe to assume that "java_file_factory.jar" is used exclusively for enpoint using File as target/source and since we don't have those we can ignore the vulnerability/upgrade the library?

Do you have any insight on what the other 3 libraries are used for? (opt/attunity/replicate/endpoint_srv/externals/jetty-server-11.0.18.jar, opt/attunity/replicate/endpoint_srv/externals/kotlin-stdlib-1.6.0.jar, opt/attunity/replicate/java/arep-event-hubs.jar)

Thanks for you help

Kind Regards

Gianluca

diegozecchini · ‎2025-01-24

This is an interesting post. I am following.

john_wang · ‎2025-01-25

Hello @gianlucasaturno ,

Thanks for reaching out to Qlik Community!

We need CF/R&D help to confirm it. Please open a support ticket ,Our support team will be more than happy to assist you.

Regards,

John.

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

ECRScan on Replicate product

Installation - Upgrade

Security