Solved: Re: Qliksense and Apache/Open SSL vulnerabilities. - Qlik Community

markdur101 · ‎2022-02-02

Our security group has found sever SSL vulnerabilities on a dedicated QlikSense server.

They said that these vulnerabilities are due to an Apache/ Open SSL web server that needs to be upgraded.

Can you tell me if QlikSense uses an Apache web server in its default installation?

These are the vulnerabilities that were found.

OpenSSL Integer overflow in CipherUpdate (CVE-2021-23840)
OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711)
Apache Tomcat default installation/welcome page installed
Apache HTTPD: A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user (CVE-2021-40438)
OpenSSL CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
OpenSSL Read buffer overruns processing ASN.1 strings (CVE-2021-3712)

Chip_Matejowsky · ‎2022-02-02

Qlik Sense doesn't use an Apache/ Open SSL web server by default but can be configured to work with one as a reverse proxy/SAML - Quick guide to configure Apache as a Reverse Proxy with HTTPS, ADFS SAML and Qlik Sense.

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

Chip_Matejowsky · ‎2022-02-02

Qlik Sense doesn't use an Apache/ Open SSL web server by default but can be configured to work with one as a reverse proxy/SAML - Quick guide to configure Apache as a Reverse Proxy with HTTPS, ADFS SAML and Qlik Sense.

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

markdur101 · ‎2022-02-02

Thanks for the quick reply.