article Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455 in Official Support Articles

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sebastian_Linser — Wed, 31 May 2023 09:35:57 GMT

PostgreSQL has identified two security issues. As Qlik Sense Enterprise on Windows relies on PostgreSQL for its repository, we want to provide you with steps on how to mitigate the vulnerabilities.

CVE-2023-2454

This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
CVE-2023-2455

While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Resolution

With the next major Qlik Sense Enterprise on Windows release (August 2023), Qlik will update its bundled PostgreSQL database to the latest 14.x version.

As a mitigation for any previous releases, including May 2023, we offer the Qlik Postgres Installer (QPI) to migrate from 9.6 or 12.5 embedded databases to 14.8. We validated PostgreSQL 14.x for all releases back to February 2022.

Download the Qlik Postgres Installer versions 1.3.0 here.

There are two possible scenarios which may apply to you:

Scenario 1

Upgrading your PostgreSQL database for Qlik Sense February 2022 (or later) while not having used the QPI yet

Use the new Qlik Postgres Installer (version 1.3.0) to upgrade to Postgres 14.8 and migrate Postgres with QPI. Follow the instructions in Upgrading Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Download the Qlik Postgres Installer versions 1.3.0 here.

Scenario 2

Upgrading your PostgreSQL on February 2022 (or later) if you have already migrated to 12.x within QPI

If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release) and install it on top of your current 12.x database.

Steps:

Download the latest PostgreSQL installer within the major release you have installed (Download PostgreSQL | Enterprisedb.com).

Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.
Stop the Qlik Sense services. Leave the postgresql-x64-12 service running.
Run the downloaded installer as an administrator.
The installer will guide you through the upgrade procedure.
Start the Qlik Sense services.

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

jchoucq — Mon, 22 May 2023 07:16:37 GMT

hi @Sebastian_Linser

thank you for this message.

With both scenario, at the end, we do not have Qlik Sense Repository Database service anymore.

as a Scenario 3, will it be possible, to wait untill August 2023 and then, make a backup of certificates and database, unisntall qlik sense, install the brand new version with postgres 14.8 and then restore ?

Or do you think, it will be a better solution, for the future to have postgresql-x64-12 service running ?

Have a good week

Johann

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sonja_Bauernfeind — Mon, 22 May 2023 09:18:29 GMT

Hello @jchoucq

Qlik is providing you with the means to mitigate the vulnerability identified by Postgre. It is up to you whether you are willing to accept the risks and wait, though we will always recommend doing so as soon as possible. The choice is yours, however.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

jchoucq — Mon, 22 May 2023 14:03:45 GMT

Thanks @Sonja_Bauernfeind

I do agree with what you said.

But for my experience, in 2 different environments, QPI failed, and we had to upgrade from 9.6 to 12.50 manually (bakup and restore) with the advantage, however, of keeping the same old configuration, with Qlik Sense Repository Database Service.

For the moment, it won't be possible, until Qlik Sense August 2023 is released.

All the best,
Johann

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Giovanni_Civardi — Mon, 22 May 2023 15:45:25 GMT

Thanks would this impact NPrinting in some way too?

Thanks,

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sonja_Bauernfeind — Tue, 23 May 2023 06:10:16 GMT

Hello @Giovanni_Civardi

Our Qlik NPrinting team is currently actively reviewing this.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

jchoucq — Thu, 15 Jun 2023 15:36:17 GMT

Hi,

in a scenario where we already used QPI to migrate postgresql from 9.6 to 12.5, will it be possible to upgrade to postgresql 14.8 ?

Thanks a lot and have a good day.

Joh

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sebastian_Linser — Fri, 16 Jun 2023 12:29:30 GMT

@jchoucq not with the tool, but I will soon have a manual way done for you.

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

jchoucq — Fri, 16 Jun 2023 14:22:58 GMT

Sounds great to hear, thank you very much @Sebastian_Linser

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

ChristiW — Fri, 16 Jun 2023 18:42:15 GMT

We followed Scenario 2 (v12.5 to v12.15) and while there were no errors during the upgrade, after finished we could not access Qlik Sense (Feb 2023 SR 5) Hub or QMC. I am planning on submitting a ticket, but first wanted to ask if anyone else has run into this problem?

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sonja_Bauernfeind — Mon, 19 Jun 2023 13:08:11 GMT

Hello @ChristiW

I recommend a support ticket so that we can assist you directly.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Giovanni_Civardi — Tue, 04 Jul 2023 08:19:35 GMT

any update on NPrinting side? thanks.

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sonja_Bauernfeind — Tue, 04 Jul 2023 08:24:36 GMT

Hello @Giovanni_Civardi

Starting from the next Qlik NPrinting service release (May 2023 SR1) the installed PostgreSQL version will be 13.11-2 instead of 13.8-1. We encourage you to upgrade Qlik NPrinting, as Qlik NPrinting upgrades its PostgreSQL version as well.

All the best,
Sonja

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

BoB_Qlik_Support — Fri, 08 Sep 2023 09:51:36 GMT

Hi @Sonja_Bauernfeind

Can i restore 9.6 postgres repository on freshly installed qlik sense enterprise version Aug 2023 (which by defalut comes with postgres 14.5 version)

Regards

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sonja_Bauernfeind — Tue, 12 Sep 2023 12:31:24 GMT

@BoB_Qlik_Support This is possible, although an error may be logged (see Restoring your Qlik Sense site (How to manually upgrade the bundled Qlik Sense PostgreSQL version to 12.5 version).

All the best,
Sonja

article Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455 in Official Support Articles

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Resolution

Scenario 1

Upgrading your PostgreSQL database for Qlik Sense February 2022 (or later) while not having used the QPI yet

Scenario 2

Upgrading your PostgreSQL on February 2022 (or later) if you have already migrated to 12.x within QPI

Related Content

Environment

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Re: Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455