topic Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL in Management & Governance

CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

diloi — Wed, 29 Jan 2025 16:21:29 GMT

Hallo,

wie geht Qlik mit dieser Sicherheitslücke um?

https://www.heise.de/news/Root-Sicherheitsluecke-bedroht-Datenbankmanagementsystem-PostgreSQL-9831918.html

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

Fipe — Wed, 14 Aug 2024 15:18:52 GMT

Hi

The vulnerability is classified as high. When will PostgreSQL 14.13 be supported?

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

Filippo_Nicolussi_P — Wed, 18 Sep 2024 08:39:24 GMT

Hi @Fipe , @diloi

At today all supported version of Qlik Sense "System requirements for Qlik Sense Enterprise just select the version on the drop down select box on the left side" do support 14.x versions; however it could be necessary to unbind your current Postgres as per article Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer first.

If you are running on a standalone PostgreSQL just follow Postgres recommendation/guides.

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

JacovCohenQ — Wed, 09 Oct 2024 07:33:49 GMT

Hi, I am facing the same issue.

"do support 14.x versions," Can we upgrade Postgres to 14.13 manually, and it will be supported?

The QPI is just for 14.8.

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

VBD — Thu, 10 Oct 2024 06:53:03 GMT

Hello,

Yes, it will be supported, but you'll need to externalize your database. So you will need to backup you repository database, install postgres manually, restore the backup, and reinstall qliksense using the new database.

Regards

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

fabdulazeez — Tue, 22 Oct 2024 12:10:40 GMT

Hi @Filippo_Nicolussi_P

We have the February 2024 version, which includes PostgreSQL 14.8. Can we use QPI to unbundle PostgreSQL and then upgrade it to 14.13?

QPI known limitation:

Cannot migrate a 14.8 embedded database to a standalone

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

Filippo_Nicolussi_P — Wed, 06 Nov 2024 09:40:39 GMT

Exact @fabdulazeez ; and in such a scenario, a possible procedure is explained by @VBD :

"Yes, it will be supported, but you'll need to externalize your database. So you will need to backup your repository database, install Postgres manually, restore the backup, and reinstall qliksense using the new database."

Depending on your confidence you could :

Stop all services on all nodes except the database and take backups of databases Backup a Qlik Sense Site.

Stop the database too after backup.

Use SC Windows command Learn Microsoft SC.exe to remove dependencies from the Embedded PostgreSQL and remove the "Qlik Sense Repository Database" service.

Install the PostgreSQL 14.13 customizing listening port 4432 to the default Qlik Sense port and start it.

Create the required/used user role qliksenserepository and databases Install and configure PostgreSQL.

Restore the databases.

Start central, verify, and proceed with other nodes.

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

fabdulazeez — Wed, 06 Nov 2024 10:27:57 GMT

Thanks @Filippo_Nicolussi_P for your response.The steps outlined above appear to be generic and quite manual. Will Qlik officially support these steps? Is there any possibility that QPI will be upgraded soon to support unbundling of version 14.x? If not, should I open a support ticket to get confirmation on the steps mentioned?

Re: CVE-2024-7348 Root-Sicherheitslücke in PostgreSQL

Filippo_Nicolussi_P — Mon, 18 Nov 2024 11:04:54 GMT

Hi, @fabdulazeez

Sounds there will be a new version of the QPI that will provide missed capabilities.

No need for a support ticket Just keep monitored for QPI updates.