Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
vijaynarayanan
Contributor
Contributor
‎2022-08-17 02:54 AM

Vulnerability CVE-2022-22970, CVE-2022-22971 - /replicate/endpoint_srv/externals/spring-core-5.1.9.RELEASE.jar

Hi Team,

Vulnerabilities CVE-2022-22970, CVE-2022-22971 ("Spring Framework Denial of Service (DoS) Data Binding Vulnerability") are detected  for the Qlik replicate spring core jar file "/replicate/endpoint_srv/externals/spring-core-5.1.9.RELEASE.jar". 

Do we have remediation for the detected vulnerability? We need to update the spring-core jar at the earliest. 

Thanks,

~ VJ

 

Labels (1)
Labels
919 Views
0 Likes
6 Replies
Arun_Arasu
Support
Support
‎2022-08-17 03:20 AM

Hi @vijaynarayanan 

 

CVE-2022-22970:

This CVE is a DDoS in the Spring file upload function ( a servlet). QDI products do not use this functionality of Spring (Spring is not used in QDI to offer networking services) and thus, there is no actual risk. Qlik will update this component in the 2022.11 release - since no security issue exists, the change is not updated in older releases.


CVE-2022-22971:

This CVE is in Spring's STOMP protocol. QDI products do not use this functionality of Spring and thus, there is no actual risk. Qlik will update this component in the 2022.11 release - since no security issue exists, the change is not updated in older releases.

905 Views
vijaynarayanan
Contributor
Contributor
‎2022-08-24 12:46 AM
Author

Team,

Do we have the knowledge base article that explains the same information? I need to update my organization with the details.

Thanks

 

830 Views
0 Likes
Arun_Arasu
Support
Support
‎2022-08-24 08:42 AM

In response to vijaynarayanan

Hello @vijaynarayanan ,

Unfortunately , there are no  knowledge base article that explains the same information.

Regards,

Arun

804 Views
vijaynarayanan
Contributor
Contributor
‎2022-08-24 12:45 PM
Author

In response to Arun_Arasu

Hi @Arun_Arasu ,

 

My Org is looking for the information in knowledge base article to get the exception. Could you guide on the right process to get that information?

 

Thanks

793 Views
0 Likes
narendersarva
Support
Support
‎2022-08-24 01:49 PM

Hello @vijaynarayanan ,

I checked again but as Arun mentioned, no one has created knowledge base article yet on Vulnerability CVE-2022-22970, CVE-2022-22971.

If you need any further assistance on this please create a case, so that our technical support team can assist you.

 

Thanks

Naren

781 Views
vijaynarayanan
Contributor
Contributor
‎2022-08-24 11:12 PM
Author

Case# 00050175: Vulnerabilities CVE-2022-22970, CVE-2022-22971 is created for this issue.

 

 

759 Views
0 Likes