topic Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979 in Management & Governance

PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Ced_Eural — Wed, 29 Jan 2025 16:21:29 GMT

Hi everybody,

I came accross thi security issue that affects the bundled Postgre included into Qlik Sense May 2024.(version 14.8)

CVE-2024-10979

I'd like to know if a security patch will be released to fix the issue or if there is any suggestion to face the problem.

The only idea I have is to unbundle the database and upgrade it to the last patch.

Thanks for the support

Regards

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

jeremyseipel — Tue, 03 Dec 2024 15:50:35 GMT

@Sonja_Bauernfeind can you check with R&D on this. The CVE is rated as high. From what I am seeing in the qlik forum post below, unbundling postgres is not supported, so we cannot resolve with Qlik releasing a patch.

https://community.qlik.com/t5/Qlik-NPrinting/External-NPrinting-Repository/td-p/1788527

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Sonja_Bauernfeind — Wed, 04 Dec 2024 08:18:08 GMT

Hello @Ced_Eural and @jeremyseipel

For Qlik Sense Enterprise on Windows, unbundle PostgreSQL. This will allow you to upgrade it independently of the Qlik Sense Enterprise on Windows release schedule. Though please review the System Requirements to ensure your currently used version supports the PostgreSQL version you plan to upgrade to.

As for Qlik NPrinting, @Ced_Eural, a case may be needed to investigate further, but I've also contacted my contacts internally.

All the best,
Sonja

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Sonja_Bauernfeind — Wed, 04 Dec 2024 12:37:59 GMT

Hello @jeremyseipel

Please open a support ticket regarding CVE-2024-10979 in combination with Qlik NPrinting (not Qlik Sense Enterprise on Windows). This will get the correct pieces moving.

All the best,
Sonja

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

jeremyseipel — Wed, 04 Dec 2024 13:16:47 GMT

Thanks Sonja. A member of my team has a case open for this. Just wanted to make sure it got additional traction and others like us searching didn't find a thread with no answers.

I am curious as to why unlike qlik sense, the db cannot be unlinked. Since NP doesn't support high availability there hasn't been a real reason to do it, unless a client had a mandate of using RDS over local postgres, which I haven't encountered.

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Sonja_Bauernfeind — Wed, 04 Dec 2024 13:24:39 GMT

Hello @jeremyseipel

Thanks for the heads-up! I located the case.

All the best,
Sonja

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

David_Friend — Wed, 04 Dec 2024 14:58:28 GMT

Hey @jeremyseipel the R&D team responsible for NPrinting is also responsible for the Tabular Reporting in Qlik Cloud, since they are focused on that I don't anticipate new features or architectural changes to NPrinting 😞

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Ced_Eural — Wed, 04 Dec 2024 15:16:57 GMT

Hi @Sonja_Bauernfeind

on https://community.qlik.com/t5/Official-Support-Articles/Upgrading-and-unbundling-the-Qlik-Sense-Repository-Database/ta-p/1934238

into the Known limitation says:

"Cannot migrate a 14.8 embedded database to a standalone"

I'm running Qlik Sense May 2024.(Postgresql version 14.8)

Can I use the Qlik Sense PostgreSQL installer to install a new instance , manually migrate the DB and then update the postgre?

Is there any guide to follow?

Thanks for your help

Regards

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

jeremyseipel — Wed, 04 Dec 2024 15:17:42 GMT

@David_Friend totally understand and unfortunately I agree, I don't expect major changes to NPrinting either. As long as we get a fix for this asap, then I think we are good.

I saw that Qlik just released information about a major vulnerability for Qlik sense that requires an upgrade, so it looks like it will be a busy few weeks for upgrades.

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

jeremyseipel — Mon, 09 Dec 2024 14:00:56 GMT

@Sonja_Bauernfeind or @David_Friend any word on a patch update from Qlik to resolve this issue for NP?

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

David_Friend — Mon, 09 Dec 2024 14:03:34 GMT

what is your case number?

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

jeremyseipel — Mon, 09 Dec 2024 14:06:59 GMT

00332802: Qlik NPrinting Patching for Postgres Vulnerability CVE-2024-10979

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

David_Friend — Mon, 09 Dec 2024 15:29:20 GMT

@jeremyseipel there is not an update from R&D in this yet.

Re: PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Sonja_Bauernfeind — Tue, 10 Dec 2024 08:00:32 GMT

Hello @jeremyseipel

We're actively working on this request. Please keep an eye on the Qlik NPrinting release notes for details. The ID for this investigation is QB-30635.

All the best,
Sonja