Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
Katie_Davis
Digital Support
Digital Support

Qlik is aware that a set of well publicized vulnerabilities have been identified in the popular Java Spring Framework. These vulnerabilities have been assigned references CVE-2022-22965 (also known as "Spring4Shell"), CVE-2022-22947, CVE-2022-22950 and CVE-2022-22963. 

 

Qlik has been diligently reviewing our product suite since we’ve become aware of these issues. We want to ensure Qlik users that your security is our upmost priority. As always, we recommend customers stay up-to-date on the most recent releases available for your product. 

 

Products Not Impacted 

The following products are NOT affected: 

  • Qlik Cloud 
  • Client-Managed Qlik Sense Enterprise and QlikView (all versions) 
  • GeoAnalytics (all versions) 
  • Qlik Compose (all versions) 
  • Qlik Compose for Data Lakes (all versions) 
  • Qlik Compose for Data Warehouses (all versions) 
  • Qlik Enterprise Manager (all versions) 
  • Qlik NPrinting
  • Qlik Replicate (all versions) ** 

** Qlik Replicate contains libraries that contain the affected code, but they are not used in a way that is exploitable. These will be removed in a upcoming patch. 

 
Products Impacted 

Our testing shows only client-managed versions of Qlik Catalog are directly impacted (by CVE-2022-22965 and CVE-2022-22950) and a patch will be available as Feb 2022 SR2 and for the May 2022 release. Mitigation steps for earlier releases are linked in this knowledge base article.

 

Update 4/04/2022 8:15p.m EST

Qlik Catalog Feb 2022 SR2 is now available on the Downloads Site. Please be sure to be logged into Qlik Community with your Qlik ID to access. Katie_Davis_0-1649118041857.png

 

 

Please subscribe to our Support Updates blog for continued updates as they become available. 

Thank you for choosing Qlik,  

Qlik Global Support 

10 Comments
eyalnir_qlik
Partner - Creator
Partner - Creator

Hi,

what about Nprinting impacted? thanks

3,114 Views
Katie_Davis
Digital Support
Digital Support

Hi @eyalnir_qlik , NPrinting is not impacted and has just been added above. 

Thanks!

Katie

2,869 Views
JitenderR
Employee
Employee

Thank You @Katie_Davis So once the next patch is available, is an upgrade a MUST? or we can plan it in next few months?

 

Regards

JR

2,505 Views
lichtbringer667
Contributor
Contributor

hi,

we use the qlikviewserver and the qlikview plugin are these products affected by the vulnerability?

thanks

lb

2,266 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @lichtbringer667 

QlikView products (a server install, the IE plugin, and the Desktop client) are not affected.

All the best,
Sonja 

2,232 Views
Katie_Davis
Digital Support
Digital Support

Hi @JitenderR ,

 

It's recommended you upgrade to the February 2022 Service Release 2 to be best protected against the vulnerabilities.

 

Thanks,

Katie

1,715 Views
RameshInala
Contributor
Contributor

Hi @Katie_Davis ,

We are using Qlik Replicate May 2021 (2021.5.0.543) version and do we have any patch available for CVE-2022-22950 Spring Framework Denial of Service (DoS) Vulnerability.  Please advise on any ETA on patch availability if it is not available at this time. These vulnerabilities are continuously getting reported on our servers and got escalated as remediation due date has passed.

 

926 Views
john_wang
Support
Support

Hello @RameshInala , copy @Katie_Davis ,

All version of Qlik Replicate are not affected by CVE-2022-22950 Spring Framework Denial of Service (DoS) Vulnerability.

 

These vulnerabilities are continuously getting reported on our servers and got escalated as remediation due date has passed.


Not sure how Qlik Replicate get into the report, maybe it's because of some  files eg "spring-beans-5.1.9.RELEASE.jar" ?

Please take note that the file is used for Endpoint Server only, and the endpoint server is not exposed to external users, and it is serving only as a REST server, not an application web server.

This file is removed from higher Replicate versions eg 2022.5/2022.11.

Hope this helps.

Regards,

John.

892 Views
RameshInala
Contributor
Contributor

Hi @john_wang , @Katie_Davis 

Thank you for the quick reply on this.

yes, it is getting reported for file $ATTHOME/replicate/endpoint_srv/externals/spring-core-5.1.9.RELEASE.jar.

we have communicated the same to Security team, but they are is still asking to remediate as Qlik Replicate server contains  affected libraries and server is listing under non-compliant.

Could you please confirm if there any plan to release patch for Replicate version May 2021 (2021.5.0.543), so that we can buy some time from Security team (Upgrading to new version is not a choice at this moment).

850 Views
john_wang
Support
Support

Hello @RameshInala ,

Thanks for the detailed info.

There is not such a build (2021.5.0.543, or it's a nonofficial build ). The first official build of 2021.5 is 745, the latest one is 1368 (up to today).  However each build of 2021.5 contains file "spring-core-5.1.9.RELEASE.jar".
Please take note the file "spring-core-5.1.9.RELEASE.jar" is for EndPoint Server use only. Note sure if you running Endpoint Server, or if you are using some endpoints which under Endpoint Servers  (eg source endpoints include MongoDB source, Salesforce source, SAP source). If you are not running Endpoint Server (it's disabled), or no such specific endpoints in use , then removing these spring-*.jar (or move it out of Replicate installation folder) is an option.

In fact, even while running Endpoint Server (MongoDB source) in my labs, removing all the 11 "spring-*.jar" files from the folder and restart Replicate service, no negative impact found.

So far:

1- you may removing the files from your system (do sanity test before implement to PROD system) ;

2- upgrade to higher versions eg Replicate 2022.5. These versions do not contains the useless jar files. The versions Lifecycle   for your reference.

Hope this helps.

Regards,

John.

 

 

826 Views