Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
vipulmisra
Contributor II
Contributor II
‎2022-10-28 05:10 PM

Exposure to CVE-2022-42889

Hi Team,

Could you please confirm the impact of https://nvd.nist.gov/vuln/detail/CVE-2022-42889 on Qlik replicate

We are currently on version May 2021 (2021.5.0.1133)

Regards,

Vipul

Labels (1)
Labels
1,443 Views
0 Likes
1 Solution

Accepted Solutions
Dana_Baldwin
Support
Support
‎2022-10-28 05:24 PM

Hi @vipulmisra 

The only place in QDI where apache.commons.text is used is in the Replicate Salesforce incremental-load JREP endpoint (salesforce-source-endpoint.jar). Neither Compose nor QEM use this library.

The library version currently used there is 1.9 and it is vulnerable. It should be changed to 1.10 in a future service release.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability. Hence, from Qlik perspective, the risk of this CVE for the QDI products is zero. As usual, Qlik will update this library in a service release.

Customers who are not using that endpoint can delete the salesforce-source-endpoint.jar so it does not come up in later scans.

 

Thanks,

Dana

View solution in original post

1,110 Views
13 Replies
Dana_Baldwin
Support
Support
‎2022-10-28 05:24 PM

Hi @vipulmisra 

The only place in QDI where apache.commons.text is used is in the Replicate Salesforce incremental-load JREP endpoint (salesforce-source-endpoint.jar). Neither Compose nor QEM use this library.

The library version currently used there is 1.9 and it is vulnerable. It should be changed to 1.10 in a future service release.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability. Hence, from Qlik perspective, the risk of this CVE for the QDI products is zero. As usual, Qlik will update this library in a service release.

Customers who are not using that endpoint can delete the salesforce-source-endpoint.jar so it does not come up in later scans.

 

Thanks,

Dana

1,111 Views
adershb
Partner - Contributor III
Partner - Contributor III
‎2022-10-31 12:06 PM

Hello @Dana_Baldwin ,

We are using Replicate version 2021.5.0.1272 and QEM version May 2021 (2021.5.0.543). Could you please check and confirm is this version replicate and QEM affected with this security vulnerability CVE-2022-42889.

The end-points were are using are ; 

source - Oracle and DB2 iSeries

target - Oracle. 

 

Thanks,

Adersh

 
1,047 Views
0 Likes
Dana_Baldwin
Support
Support
‎2022-10-31 12:23 PM

In response to adershb

Hi @adershb 

As noted above, the only place in QDI where apache.commons.text is used is in the Replicate Salesforce incremental-load JREP endpoint (salesforce-source-endpoint.jar). Neither Compose nor QEM use this library.

Version 2021.5 uses the vulnerable version and it will be changed to 1.10 in a future service release of 2022.5 or later.

Still, even though the vulnerable JAR exists, there is no use at all of the vulnerable class StringSubstitutor which is a prerequisite to exploiting the vulnerability. Hence, from Qlik perspective, the risk of this CVE for the QDI products is zero. As usual, Qlik will update this library in a service release.

If you are not using Salesforce incremental load endpoint, you can delete the salesforce-source-endpoint.jar so it does not come up in later scans.

Thanks,

Dana

1,040 Views
0 Likes
adershb
Partner - Contributor III
Partner - Contributor III
‎2022-10-31 12:35 PM

In response to Dana_Baldwin

Hello @Dana_Baldwin 

 

Where is the location of salesforce-source-endpoint.jar file. You mean on Replicate server or on QEM server? 

Thanks,

Adersh

 

1,040 Views
0 Likes
Dana_Baldwin
Support
Support
‎2022-10-31 12:38 PM

In response to adershb

Hi @adershb 

It is on the Replicate server, as noted QEM does not use this library. It is here:

Dana_Baldwin_0-1667234291544.png

Thanks,

Dana

1,038 Views
0 Likes
adershb
Partner - Contributor III
Partner - Contributor III
‎2022-10-31 12:42 PM

Hi @Dana_Baldwin ,

I could see file arep-salesforce.jar in below location. Our Replicate server is Linux.
replicate-2021.5.0-1272/endpoint_srv/endpoints/Salesforce $

Thanks,

Adersh

1,037 Views
0 Likes
adershb
Partner - Contributor III
Partner - Contributor III
‎2022-10-31 12:58 PM

Hi @Dana_Baldwin , 

Can you please confirm is it the same vulnerable file (mentioned above on Linux) and If so, for removing it, do we need to restart the replicate service on Linux (stop, remove .jar file and start). 

Thanks,

Adersh

1,029 Views
0 Likes
vipulmisra
Contributor II
Contributor II
‎2022-10-31 01:03 PM
Author

Hi @Dana_Baldwin , we also see the same file arep-salesforce.jar in the Attunity/Replicate/endpoint_srv/endpoints/Salesforce folder

No other files. 

Could you please confirm if this is the affected file?

 

Regards,

Vipul

1,028 Views
0 Likes
Dana_Baldwin
Support
Support
‎2022-10-31 05:34 PM

Hi @vipulmisra @adershb I am checking with my colleagues and will follow up.

Thanks,

Dana

991 Views
0 Likes