topic Re: Vulnerabilities on libcurl.dll in Management & Governance

Vulnerabilities on libcurl.dll

Sangeeta — Thu, 11 Jan 2024 14:50:40 GMT

During our regular scans we found some vulnerabilities on libcurl.dll (cve mentioned below), we are using the qliksense version - 14.78.23 (August 2022 patch 16).

The recommendation is to upgrade to libcurl 8.4.0. Please suggest if there are any patches available for upgrading libcurl.

CVE-2023-38545 (Heap Buffer Overflow)

CVE-2023-38546 (Cookie Injection)

Re: Vulnerabilities on libcurl.dll

Anil_Babu_Samineni — Fri, 12 Jan 2024 08:59:53 GMT

@Sangeeta This is not officially found by Qlik what I see, https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2120325

If you feel anything, please reach to your success engineer from Qlik.

Re: Vulnerabilities on libcurl.dll

dmitri_volkov — Tue, 19 Mar 2024 13:17:53 GMT

Same here: CVE-2023-38545, Qlik Sense Enterprise on Windows February 2024 14.173.3

Scan found affected libcurl.dll versions in

C:\Program Files\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage\...

Search of Qlik Community did not produce any references to CVE-2023-38545.

What would be a solution here?

Re: Vulnerabilities on libcurl.dll

Thomas_Rieck_MW — Wed, 15 Jan 2025 14:10:49 GMT

Hi Sangeeta,

I don’t think Qlik will provide a patch since release August 2022 is no longer supported since August 2024.

I think you need to update your Qlik Environment. The libcurl.dll ist stored in some places on Windows, Qlik and Postgres related paths (search on your filesystem and check the file properties “Details”- Version).

On my VM for testing I have May 2024 and PostgrSQL 14 and none of the different libcurl.dlls are lower than 8.4.0 …

Best reagrds

Thomas

Re: Vulnerabilities on libcurl.dll

Sangeeta — Wed, 15 Jan 2025 15:09:35 GMT

This is an old post, we moved to May2024 patch 11 already and now there are new vulnerabilities on 8.4.0 which is fixed in version 8.9.1 so we are waiting for new patch.

Re: Vulnerabilities on libcurl.dll

shaun_lombard — Thu, 20 Mar 2025 22:06:54 GMT

Another vulnerability on libcurl https://curl.se/docs/CVE-2024-7264.html

This is being picked up on our May2024 system :

\QvOdbcConnectorPackage\presto\lib\LibCurl64.DllA\libcurl.dll
Installed version : 8.1.2.0 Fixed version: 8.9.1

Can someone check which version of libcurl.dll is shipped with November 2024?

Re: Vulnerabilities on libcurl.dll

Sebastian_Linser — Fri, 02 May 2025 06:48:06 GMT

@shaun_lombard the connector driver is compiled with OpenSSL and as such not vulnerable to CVE-2024-7264

only those models are

This parser bug was actually introduced in curl 7.32.0 but was then used only by the GSKit TLS backend which is no longer supported. The functionality was later brought to other TLS backends in different versions, so this bug affects curl built with different backends starting in different versions:

GnuTLS since 7.42.0
Schannel since 7.50.0
Secure Transport since 7.79.0
mbedTLS since 8.9.0