Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
ALERT: QlikView server communication interruptions following Microsoft Windows Domain Controller security updates

Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365)

100% helpful (2/2)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365)

Last Update:

May 15, 2024 3:28:50 AM

Updated By:

Sonja_Bauernfeind

Created date:

Sep 20, 2023 10:24:46 AM

Executive Summary 

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE). This resolves an incomplete fix for CVE-2023-41265. 

This issue was identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian

Qlik has received reports that this vulnerability may be being used by malicious actors. Customers should confirm they have applied the necessary patches outlined in this bulletin. If there are additional questions, customers may log a case with Qlik Support. 

 

Affected Software 

All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted: 

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16

Severity Rating 

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as critical.  

Vulnerability Details

CVE-2023-48365 (QB-21683) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)

Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application. This resolves an incomplete fix for CVE-2023-41265.

Resolution 

Recommendation 

These recommendations apply at the time of writing (September 2023). For up to date information, please refer to the Qlik Security Notice and review the latest Release Notes for your Qlik Sense version. Always update to the most recent patch.

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions: 

  • November 2023 IR
  • August 2023 Patch 2
  • May 2023 Patch 6
  • February 2023 Patch 10
  • November 2022 Patch 12
  • August 2022 Patch 14
  • May 2022 Patch 16
  • February 2022 Patch 15
  • November 2021 Patch 17

These patches include the fixes for previous issues CVE-2023-41266 and CVE-2023-41265 (link). 

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

 

Edit December 1st, 2023: Added November 2023 IR release to clarify it is not affected

Labels (1)
Labels:
66,715 Views
Was this article helpful? Yes No
Comments
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-09-20 10:25 AM

For discussions and questions, comment directly on the related blog post.  We will be monitoring it. Thank you!

Version history
Last update:
‎2024-05-15 03:28 AM
Updated by:
Digital Support