Hello Stoyan,

Thanks for your feedback. We already had signed SSL certificate installed, but I think the encrypt library (maybe OpenSSL) has leak.

VPN is good idea, we can consider it as long term solution, it needs time to implement, but I still need to fix this issue.

BR.

Thom (FW)

Although I understand the weakness and vulnerability of CBC (Mode of Operation) I believe there are some OpenSSL libraries within Qlik that enables the findings. Currently the vulnerability number 38764 and is described as follow:

"Testing multiple connections and  If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way
that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data."

This to me is significant and should be revisited by Qlik for remediation of the OpenSSL libraries in use.

On another note, there are other applications listening on a Windows server that are not "Flagged" by the scanner.  For example RDP.  Which is using the same set of ciphers set by a GPO.

So, Qlik is vulnerable but not RDP on the same server.

When can we expect a patch or upgrade that would remediate the vulnerability?

Thank you

@Levi_Turner 

I can confirm the findings of other users here, no other service except Qlik is affected by this vulnerability (TLS Padding Zombie POODLE and GOLDENDOODLE). This strongly hints at the use of old SSL libraries by Qlik.

We need to fix this ASAP, otherwise our Qlik Sense server might get shut down by the security team. Please anyone from Qlik respond how to solve this.

I personally use Tripwire's padcheck for validation:

Before:

levi@usral-ltu2:~$ ./padcheck {IPAddress}
{IPAddress} ({IPAddress}:443) is being tested for oracles with cipher 0xc027 using TLS 0x0303
{IPAddress} ({IPAddress}:443) is being tested for oracles with cipher 0xc027 using TLS 0x0303
{IPAddress} ({IPAddress}:443) is being tested for oracles with cipher 0xc027 using TLS 0x0303
{IPAddress} ({IPAddress}:443) is VULNERABLE with a Observable Padding Validity (GOLDENDOODLE) oracle when using cipher 0xc027 with TLS 0x0303. The fingerprint is 6be7b5

After applying IIS Crypto's best practices + manually de-selecting the CBC ciphers:

levi@usral-ltu2:~$ ./padcheck {IPAddress}
{IPAddress} ({IPAddress}:443) had an unexpected connection failure: EOF

Just wanted to say that this does indeed work, but I consider this to be only a workaround.

This is specific to Qlik, other services on our machines don't exhibit this vulnerability in connection with CBC ciphers. Ist there any plan to update the SSL libraries that come packaged with Qlik to solve this (I'm assuming that an up-to-date SSL library would fix the issue).

Agree to disagree. Adjusting the OS level availability of protocols and cipher suites is exactly how I would vote to design a web app. Otherwise you have an application which is rolling its own cryptography which is generally poor form outside of applications which provide cryptography.

You are correct that applications should ideally take cryptography setting from the OS. I'm wondering why this vulnerability is only detected in our Qlik installations though, not other applications.

I was assuming that this might be fixed by changing the way Qlik handles things, since other applications don't seem to be affected. That's why I was asking if there are any plans by Qlik to address this issue.

If there is nothing that Qlik can actually do about this because ALL CBC algorithms are vulnerable no matter the SSL libraries being used, then I can see why disabling all CBC ciphers is the way to go here.