https://community.qlik.com/t5/Management-Governance/Critical-vulnerability-in-Javascript-library/m-p/2075025#M29665 <P>Hi,</P> <P>what version of node.js/VM2 is currently being used with qlik sense products and when will there be an update. Since we are in the hospital sector, this is important for our customers. I had already opened a ticket with support, but they think it is not an incident and I should contact the community?!?</P> <P>Here are the information about the&nbsp;Critical vulnerability in Javascript library:</P> <P>CVE: CVE-2023-29017 / CVE-2023-29199 / CVE-2023-30547 / CVE-2023-32314<BR />Scope: Remote Code Execution<BR />Affected versions: <STRONG>Javascript library vm2 &lt; 3.9.18</STRONG><BR />Suggested Action: <STRONG>Update to current version 3.9.18</STRONG>, No known workarounds</P> <P>F.e.:<BR />For the listed system, we were able to identify that the server was running a NodeJS server.<BR />Node.js version:&nbsp; 14.17.6</P> <P>File path:&nbsp;&nbsp; C:\Program Files\Qlik\Sense\ServiceDispatcher\Node\node.exe<BR /><BR />Thank you in advance!</P> <P>br</P> <P>Christian</P> Wed, 24 May 2023 12:00:14 GMT C-Hopf 2023-05-24T12:00:14Z https://community.qlik.com/t5/Management-Governance/Critical-vulnerability-in-Javascript-library/m-p/2075025#M29665 <P>Hi,</P> <P>what version of node.js/VM2 is currently being used with qlik sense products and when will there be an update. Since we are in the hospital sector, this is important for our customers. I had already opened a ticket with support, but they think it is not an incident and I should contact the community?!?</P> <P>Here are the information about the&nbsp;Critical vulnerability in Javascript library:</P> <P>CVE: CVE-2023-29017 / CVE-2023-29199 / CVE-2023-30547 / CVE-2023-32314<BR />Scope: Remote Code Execution<BR />Affected versions: <STRONG>Javascript library vm2 &lt; 3.9.18</STRONG><BR />Suggested Action: <STRONG>Update to current version 3.9.18</STRONG>, No known workarounds</P> <P>F.e.:<BR />For the listed system, we were able to identify that the server was running a NodeJS server.<BR />Node.js version:&nbsp; 14.17.6</P> <P>File path:&nbsp;&nbsp; C:\Program Files\Qlik\Sense\ServiceDispatcher\Node\node.exe<BR /><BR />Thank you in advance!</P> <P>br</P> <P>Christian</P> Wed, 24 May 2023 12:00:14 GMT https://community.qlik.com/t5/Management-Governance/Critical-vulnerability-in-Javascript-library/m-p/2075025#M29665 C-Hopf 2023-05-24T12:00:14Z https://community.qlik.com/t5/Management-Governance/Critical-vulnerability-in-Javascript-library/m-p/2076609#M29666 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/149175">@C-Hopf</a>,</P> <P>Thanks for posting.</P> <P>I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.</P> <P>As we can see other modules been used like the ones listed inside this path:</P> <P>...\NotifierService\node_modules</P> <P>If you have a report indicating that such library been used, please do open a case with us immediately following this article:</P> <P><SPAN><A href="https://community.qlik.com/t5/Official-Support-Articles/Qlik-Security-Vulnerability-Policy/ta-p/1713629" target="_blank">https://community.qlik.com/t5/Official-Support-Articles/Qlik-Security-Vulnerability-Policy/ta-p/1713629</A></SPAN></P> <P>You have further information on our product security at:&nbsp;<A href="https://www.qlik.com/us/trust" target="_blank">https://www.qlik.com/us/trust</A></P> <P>Thanks for your collaboration.</P> <P>Cheers,</P> <P>Albert</P> Fri, 26 May 2023 06:21:50 GMT https://community.qlik.com/t5/Management-Governance/Critical-vulnerability-in-Javascript-library/m-p/2076609#M29666 Albert_Candelario 2023-05-26T06:21:50Z