https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/ta-p/1947554 <DIV class="lia-message-template-content-zone"> <H3><FONT color="#339966">Executive Summary</FONT></H3> <P>A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.</P> <P>These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.</P> <H3><FONT color="#339966">Affected Software</FONT></H3> <P>All Qlik GeoAnalytics server versions <STRONG>prior </STRONG>to these releases are impacted:</P> <UL> <LI>May 2022 SR1</LI> <LI>February 2022 SR1</LI> <LI>November 2021 SR4</LI> <LI>May 2021 SR3</LI> <LI>February 2021 SR3</LI> <LI>November 2020 SR3</LI> <LI>September 2020 SR3</LI> <LI>June 2020 SR3</LI> </UL> <H3><FONT color="#339966">Severity Rating</FONT></H3> <P>Three vulnerabilities are rated as <FONT color="#FF0000"><STRONG>high </STRONG></FONT>due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as <FONT color="#FF9900"><STRONG>medium </STRONG></FONT>as it allows client-side script injection. See below for the scoring breakdown.</P> <H3><FONT color="#339966">Vulnerability Details</FONT></H3> <P><FONT color="#339966"><SPAN>QB-10651 - Path traversal vulnerability in GeoAnalytics Server</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N <STRONG>(7.5 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.</P> <P><FONT color="#339966"><SPAN>QB-10518 - Server Side Request Forgery (SSRF) in Maps</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N <STRONG>(7.6 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.</P> <P><FONT color="#339966"><SPAN>QB-10519 - Javascript Injection. Maps (High).</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N <STRONG>(7.5 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a malicious user may be able inject client-side scripts that are run in the context of another user.</P> <P><FONT color="#339966"><SPAN>QB-10517 - Reflected Cross-site Scripting (XSS) </SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N <STRONG>(5.8 Medium)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, an attacker may be able to craft a URL, which if another user visits, causes client-side scripts to be run in the context of that user.</P> <P>&nbsp;</P> <H3><FONT color="#339966"><SPAN>Resolution / Recommendation</SPAN></FONT></H3> <P>It is recommended to upgrade Qlik GeoAnalytics server to a version containing fixes. The first versions with the fixes are:</P> <UL> <LI>May 2022 SR1</LI> <LI>February 2022 SR1</LI> <LI>November 2021 SR4</LI> <LI>May 2021 SR3</LI> <LI>February 2021 SR3</LI> <LI>November 2020 SR3</LI> <LI>September 2020 SR3</LI> <LI>June 2020 SR3</LI> </UL> <P>All Qlik software can be downloaded from our official <A href="https://community.qlik.com/t5/Downloads/tkb-p/Downloads" target="_blank" rel="noopener">Qlik Download page</A> (customer login required).</P> <P>&nbsp;</P> </DIV> Tue, 05 Jul 2022 12:48:12 GMT Katie_Davis 2022-07-05T12:48:12Z https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/ta-p/1947554 <DIV class="lia-message-template-content-zone"> <H3><FONT color="#339966">Executive Summary</FONT></H3> <P>A number of security issues in Qlik GeoAnalytics Server have been identified and patched. If successfully exploited, these issues could lead to unauthorized information disclosure from the server running GeoAnalytics or unauthorized client-side code running in the context of users.</P> <P>These issues were found as part of the Qlik secure engineering program and no reports of them being exploited have been received.</P> <H3><FONT color="#339966">Affected Software</FONT></H3> <P>All Qlik GeoAnalytics server versions <STRONG>prior </STRONG>to these releases are impacted:</P> <UL> <LI>May 2022 SR1</LI> <LI>February 2022 SR1</LI> <LI>November 2021 SR4</LI> <LI>May 2021 SR3</LI> <LI>February 2021 SR3</LI> <LI>November 2020 SR3</LI> <LI>September 2020 SR3</LI> <LI>June 2020 SR3</LI> </UL> <H3><FONT color="#339966">Severity Rating</FONT></H3> <P>Three vulnerabilities are rated as <FONT color="#FF0000"><STRONG>high </STRONG></FONT>due to the possibility of information disclosure impacting the server running GeoAnalytics. One is rated as <FONT color="#FF9900"><STRONG>medium </STRONG></FONT>as it allows client-side script injection. See below for the scoring breakdown.</P> <H3><FONT color="#339966">Vulnerability Details</FONT></H3> <P><FONT color="#339966"><SPAN>QB-10651 - Path traversal vulnerability in GeoAnalytics Server</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N <STRONG>(7.5 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a malicious user may be able access files on the server that they should not have access to.</P> <P><FONT color="#339966"><SPAN>QB-10518 - Server Side Request Forgery (SSRF) in Maps</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N <STRONG>(7.6 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a user may be able access resources within a network in the context of the service account running the GeoAnalytics service.</P> <P><FONT color="#339966"><SPAN>QB-10519 - Javascript Injection. Maps (High).</SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N <STRONG>(7.5 High)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, a malicious user may be able inject client-side scripts that are run in the context of another user.</P> <P><FONT color="#339966"><SPAN>QB-10517 - Reflected Cross-site Scripting (XSS) </SPAN></FONT><BR />Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N <STRONG>(5.8 Medium)</STRONG></P> <P class="lia-indent-padding-left-30px">Due to improper validation of user-supplied input, an attacker may be able to craft a URL, which if another user visits, causes client-side scripts to be run in the context of that user.</P> <P>&nbsp;</P> <H3><FONT color="#339966"><SPAN>Resolution / Recommendation</SPAN></FONT></H3> <P>It is recommended to upgrade Qlik GeoAnalytics server to a version containing fixes. The first versions with the fixes are:</P> <UL> <LI>May 2022 SR1</LI> <LI>February 2022 SR1</LI> <LI>November 2021 SR4</LI> <LI>May 2021 SR3</LI> <LI>February 2021 SR3</LI> <LI>November 2020 SR3</LI> <LI>September 2020 SR3</LI> <LI>June 2020 SR3</LI> </UL> <P>All Qlik software can be downloaded from our official <A href="https://community.qlik.com/t5/Downloads/tkb-p/Downloads" target="_blank" rel="noopener">Qlik Download page</A> (customer login required).</P> <P>&nbsp;</P> </DIV> Tue, 05 Jul 2022 12:48:12 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/ta-p/1947554 Katie_Davis 2022-07-05T12:48:12Z https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/tac-p/1949404#M6763 <P>Can you please elaborate on the vulnerable versions as&nbsp;the wording here a bit ambiguous, when you say “versions prior to these releases”</P> <P>for November 2021 SR4, does that mean November 2021 SR1-3 are all vulnerable?</P> Tue, 28 Jun 2022 22:17:19 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/tac-p/1949404#M6763 AdamJohnson 2022-06-28T22:17:19Z https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/tac-p/1951811#M6802 <P>Hello&nbsp;<a href="https://community.qlik.com/t5/user/viewprofilepage/user-id/152515">@AdamJohnson</a>&nbsp;</P> <P>Versions prior to them will be affected, yes. So SR4 indicates prior SRs are affected (initial release to SR3, etc).</P> <P>All the best,<BR />Sonja&nbsp;</P> Tue, 05 Jul 2022 12:49:32 GMT https://community.qlik.com/t5/Official-Support-Articles/Security-Fixes-in-Qlik-GeoAnalytics-server/tac-p/1951811#M6802 Sonja_Bauernfeind 2022-07-05T12:49:32Z