https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2135488#M25980 <P>Hello,</P> <P>I will do update of&nbsp;&nbsp;<SPAN>Qlik Sense Enterprise on Windows to version August 2023.</SPAN></P> <P><SPAN>And we will see.</SPAN></P> <P><SPAN>Thank you,</SPAN></P> <P><SPAN>Pavel</SPAN></P> Tue, 07 Nov 2023 15:36:12 GMT Pajik3909 2023-11-07T15:36:12Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2131695#M25883 <P>Hello everybody,</P> <P>I received&nbsp;information about the problem with renegotiation DoS Vulnerability from our IT department. See message below:</P> <P><STRONG>Hostname:</STRONG>&nbsp;qlikxxxxxx,<BR /><STRONG>Host Ip:</STRONG>&nbsp;<BR /><STRONG>Taskname:</STRONG></P> <P><STRONG>Severity:</STRONG>&nbsp;Low,<BR /><STRONG>Description:</STRONG>&nbsp;SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)<BR /><STRONG>Summary:</STRONG>&nbsp;The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.<BR /><STRONG>Insight:</STRONG>&nbsp;The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: &gt; It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.<BR /><STRONG>Solution:</STRONG>&nbsp;Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.<BR /><STRONG>Nvt:</STRONG>&nbsp;1.3.6.1.4.1.25623.1.0.117761<BR /><STRONG>CVE:</STRONG>&nbsp;CVE-2011-1473, CVE-2011-5094&gt;<BR /><STRONG>Affected:</STRONG>&nbsp;Every SSL/TLS service which does not properly restrict client-initiated renegotiation.<BR /><STRONG>Detection:</STRONG>&nbsp;Checks if the remote service allows to re-do the same SSL/TLS handshake (Renegotiation) over an existing / already established SSL/TLS connection.<BR /><STRONG>Descriptions:</STRONG>&nbsp;The following indicates that the remote SSL/TLS service is affected:Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection----------------------------------------------------------------------------------------------------------------------------------TLSv1.2 | 10<BR /><STRONG>Soulution Type:</STRONG>&nbsp;VendorFix,<BR /><STRONG>Reference:</STRONG>&nbsp;CVE-2011-1473; CVE-2011-5094; <A href="https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/" target="_blank" rel="noopener">https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/</A>; <A href="https://orchilles.com/ssl-renegotiation-dos/" target="_blank" rel="noopener">https://orchilles.com/ssl-renegotiation-dos/</A>; <A href="https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation" target="_blank" rel="noopener">https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation</A>; <A href="https://www.openwall.com/lists/oss-security/2011/07/08/2" target="_blank" rel="noopener">https://www.openwall.com/lists/oss-security/2011/07/08/2</A></P> <P>Does exist any solution for solving this problem?</P> <P>Thank you,</P> <P>Pavel</P> Fri, 15 Nov 2024 21:18:16 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2131695#M25883 Pajik3909 2024-11-15T21:18:16Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2131871#M25885 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/166441">@Pajik3909</a>,</P> <P>What version of QlikView are your running that is being flagged on a vulnerability report from 12 years ago? If you run the currently supported versions of QlikView: May 2023 (12.80) or May 2022 (12.70), is this vulnerability flagged?</P> <P>Best Regards</P> Wed, 25 Oct 2023 16:52:19 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2131871#M25885 Chip_Matejowsky 2023-10-25T16:52:19Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132101#M25886 <P>Hi,</P> <P>We use these:</P> <P>"Qlik Sense May 2021", version 14.20.5</P> <P>"Qlik Sense Object Bundles", version&nbsp;14.20.5</P> <P>&nbsp;</P> <P>Best regards</P> <P>Pavel</P> Thu, 26 Oct 2023 11:15:45 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132101#M25886 Pajik3909 2023-10-26T11:15:45Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132162#M25887 <P>Hi&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/166441">@Pajik3909</a>,</P> <P>Your first response refers to Qlik Sense versions, but your second response references QlikView.&nbsp;Is this issue for QlikView or for Qlik Sense? Both?<BR /><BR />Best Regards</P> Thu, 26 Oct 2023 13:49:39 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132162#M25887 Chip_Matejowsky 2023-10-26T13:49:39Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132171#M25888 <P>Hi,</P> <P>we have Qlik Sense Enterprise. First response refers to this.</P> <P>best regards,</P> <P>Pavel</P> Thu, 26 Oct 2023 14:10:55 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132171#M25888 Pajik3909 2023-10-26T14:10:55Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132224#M25889 <P>Thanks for confirming. You opened this thread in the <EM><STRONG>QlikView &gt; App Development</STRONG></EM> forum so I will move it to the <EM><STRONG>Qlik Sense &gt; Deployment &amp; Management</STRONG></EM> forum so that it reaches its intended audience.</P> <P>Regarding the versions you reported - May 2021, please note that this version reached end of life for support assistance o May 10, 2023. Refer to Qlik Support article <A href="https://community.qlik.com/t5/Product-Lifecycle/Qlik-Sense-Enterprise-on-Windows-Product-Lifecycle/ta-p/1826335" target="_self"><STRONG>Qlik Sense Enterprise on Windows Product Lifecycle</STRONG></A> for more details. Suggest that you upgrade the Qlik Sense Enterprise instance to a supported version, such as August 2023 and see if this vulnerability is flagged.</P> <P>Best Regards</P> Thu, 26 Oct 2023 17:14:47 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2132224#M25889 Chip_Matejowsky 2023-10-26T17:14:47Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2135488#M25980 <P>Hello,</P> <P>I will do update of&nbsp;&nbsp;<SPAN>Qlik Sense Enterprise on Windows to version August 2023.</SPAN></P> <P><SPAN>And we will see.</SPAN></P> <P><SPAN>Thank you,</SPAN></P> <P><SPAN>Pavel</SPAN></P> Tue, 07 Nov 2023 15:36:12 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2135488#M25980 Pajik3909 2023-11-07T15:36:12Z https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2463880#M27496 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/13651">@Chip_Matejowsky</a>&nbsp;,</P> <P><SPAN>we use the Qlik Sense Enterprise on Windows version November 2023 Patch 1.</SPAN></P> <P><SPAN>The vulnerability flagged is generated after installation version November 2023 Patch 1.</SPAN></P> <P><SPAN>Best regards</SPAN></P> Wed, 19 Jun 2024 13:47:41 GMT https://community.qlik.com/t5/Management-Governance/SSL-TLS-Renegotiation-DoS-Vulnerability/m-p/2463880#M27496 Pajik3909 2024-06-19T13:47:41Z