Hi,

what about Nprinting impacted? thanks

Hi @eyalnir_qlik , NPrinting is not impacted and has just been added above. 

Thanks!

Katie

Thank You @Katie_Davis So once the next patch is available, is an upgrade a MUST? or we can plan it in next few months?

Regards

JR

hi,

we use the qlikviewserver and the qlikview plugin are these products affected by the vulnerability?

thanks

lb

Hello @lichtbringer667 

QlikView products (a server install, the IE plugin, and the Desktop client) are not affected.

All the best,
Sonja 

Hi @JitenderR ,

It's recommended you upgrade to the February 2022 Service Release 2 to be best protected against the vulnerabilities.

Thanks,

Katie

Hi @Katie_Davis ,

We are using Qlik Replicate May 2021 (2021.5.0.543) version and do we have any patch available for CVE-2022-22950 Spring Framework Denial of Service (DoS) Vulnerability.  Please advise on any ETA on patch availability if it is not available at this time. These vulnerabilities are continuously getting reported on our servers and got escalated as remediation due date has passed.

Hello @RameshInala , copy @Katie_Davis ,

All version of Qlik Replicate are not affected by CVE-2022-22950 Spring Framework Denial of Service (DoS) Vulnerability.

These vulnerabilities are continuously getting reported on our servers and got escalated as remediation due date has passed.

---

Not sure how Qlik Replicate get into the report, maybe it's because of some  files eg "spring-beans-5.1.9.RELEASE.jar" ?

Please take note that the file is used for Endpoint Server only, and the endpoint server is not exposed to external users, and it is serving only as a REST server, not an application web server.

This file is removed from higher Replicate versions eg 2022.5/2022.11.

Hope this helps.

Regards,

John.

Hi @john_wang , @Katie_Davis 

Thank you for the quick reply on this.

yes, it is getting reported for file $ATTHOME/replicate/endpoint_srv/externals/spring-core-5.1.9.RELEASE.jar.

we have communicated the same to Security team, but they are is still asking to remediate as Qlik Replicate server contains  affected libraries and server is listing under non-compliant.

Could you please confirm if there any plan to release patch for Replicate version May 2021 (2021.5.0.543), so that we can buy some time from Security team (Upgrading to new version is not a choice at this moment).

Hello @RameshInala ,

Thanks for the detailed info.

There is not such a build (2021.5.0.543, or it's a nonofficial build ). The first official build of 2021.5 is 745, the latest one is 1368 (up to today).  However each build of 2021.5 contains file "spring-core-5.1.9.RELEASE.jar".
Please take note the file "spring-core-5.1.9.RELEASE.jar" is for EndPoint Server use only. Note sure if you running Endpoint Server, or if you are using some endpoints which under Endpoint Servers  (eg source endpoints include MongoDB source, Salesforce source, SAP source). If you are not running Endpoint Server (it's disabled), or no such specific endpoints in use , then removing these spring-*.jar (or move it out of Replicate installation folder) is an option.

In fact, even while running Endpoint Server (MongoDB source) in my labs, removing all the 11 "spring-*.jar" files from the folder and restart Replicate service, no negative impact found.

So far:

1- you may removing the files from your system (do sanity test before implement to PROD system) ;

2- upgrade to higher versions eg Replicate 2022.5. These versions do not contains the useless jar files. The versions Lifecycle   for your reference.

Hope this helps.

Regards,

John.