I'm reaching out for help with some vulnerability issues identified by our Infosec team using the Qualys tool. We're currently using QlikSense May 2024 Patch 21, and the issues are related to the Node JS version used by Qlik to build its application.
Node JS Version Issues
The QlikSense version we're using relies on Node JS 1.7.8, which has numerous vulnerabilities and has reached its end of life, as stated in the article. One specific issue is related to Angular JS, but our team has also identified around 80 security/vulnerability open points for other dependencies like Koa, body-parser, Braces and many more, out of which some of them have received fixes for the issues.
Request for Information
My assumption is that these issues are all bundled together and are a problem with the NodeJs version being used and that they might be resolved if Qlik upgrades the Node JS version used in QlikSense. I'd like to know if Qlik has already addressed these issues in a recent version of QlikSense on Windows or if they plan to fix them in an upcoming patch.
Critical and High Issues
The vulnerability list shared with me contains many Critical (6), High (30), Medium (34) & Low (10) priority issues I'd appreciate any guidance on how to proceed with resolving these issues.
If anyone has information on this topic or knows what steps I can take next, please let me know.
Very clever of you starting a thread about this. I face these same challenges from time to time.
Long story short, yes you have a patch available to fix Node.js vulnerabilities. Below, I have recorded the steps I took to get to your answer.
I'm a Qlik Partner, and each customer of ours allows us to have different levels of access to their environments.
For the systems I have Security Tools running, I have early access of the exposed vulnerabilities. I will always patch them as soon as possible. Usually, on the first weekend after the vulnerability is noticed. In order to see if there's a patch available for your release, simply go to the Downloads site: https://community.qlik.com/t5/Download-Qlik-Products/tkb-p/Downloads and apply the filter on Show Releases to All Releases with Latest Patch, and filter on your Product in question.
The May 2024 version has Patch 23. If you scroll down on the page, you will see the info below. You can do Ctrl+F and search for "node.js", you will also find it.
SHEND-2484: Update node.js to the latest patch version with fixes Qlik Sense May 2024 Patch 22 updates the version of NodeJS to pick up recent patches.
Lastly, I usually advise customers to implement a Web Application Firewall protecting the Qlik site if it can be accessed outside the corporate firewall. This is something my team can help if needed too.
With a Web Application Firewall protecting the Qlik site, you will have an additional layer of protection against the vulnerabilities, and most of the time, you get back into a secure state even before patching Qlik Sense as the Firewall is patched right away.
If this helps, please mark this as Solution and give a like. Thanks!
Live and Breathe Qlik & AWS. Follow me on my LinkedIn | Know IPC Global at ipc-global.com
Very clever of you starting a thread about this. I face these same challenges from time to time.
Long story short, yes you have a patch available to fix Node.js vulnerabilities. Below, I have recorded the steps I took to get to your answer.
I'm a Qlik Partner, and each customer of ours allows us to have different levels of access to their environments.
For the systems I have Security Tools running, I have early access of the exposed vulnerabilities. I will always patch them as soon as possible. Usually, on the first weekend after the vulnerability is noticed. In order to see if there's a patch available for your release, simply go to the Downloads site: https://community.qlik.com/t5/Download-Qlik-Products/tkb-p/Downloads and apply the filter on Show Releases to All Releases with Latest Patch, and filter on your Product in question.
The May 2024 version has Patch 23. If you scroll down on the page, you will see the info below. You can do Ctrl+F and search for "node.js", you will also find it.
SHEND-2484: Update node.js to the latest patch version with fixes Qlik Sense May 2024 Patch 22 updates the version of NodeJS to pick up recent patches.
Lastly, I usually advise customers to implement a Web Application Firewall protecting the Qlik site if it can be accessed outside the corporate firewall. This is something my team can help if needed too.
With a Web Application Firewall protecting the Qlik site, you will have an additional layer of protection against the vulnerabilities, and most of the time, you get back into a secure state even before patching Qlik Sense as the Firewall is patched right away.
If this helps, please mark this as Solution and give a like. Thanks!
Live and Breathe Qlik & AWS. Follow me on my LinkedIn | Know IPC Global at ipc-global.com
I really appreciate you taking the time to share your experience and provide step-by-step guidance on how to find the patch for the Node.js vulnerabilities in QlikSense. The links you provided to the Downloads site and Release Notes page will be super helpful in keeping track of updates.
I've checked the Release Notes for the May 2024 version, and I see that Patch 23 is available, which includes the update to the latest Node.js patch version (SHEND-2484). That's great news!
I'll also consider subscribing to the Security Notice forum to stay informed about future security updates. And thank you for the advice on implementing a Web Application Firewall to add an extra layer of protection.
