Edited December 12th, Noon CET: updated patch versions, internal Qlik tracking reference, and added information on QB-30633; previous patches were removed from the download site
New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.
If you continue to experience issues with extensions or visualizations, see QB-30633: Visualizations and Extensions not loading after applying patch.
Executive Summary
Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE).
This issue was discovered by Qlik during internal security testing and no reports of it being maliciously exploited have been received.
Affected Software
All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
- May 2024 Patch 9
- February 2024 Patch 13
- November 2023 Patch 15
- August 2023 Patch 15
- May 2023 Patch 17
- February 2023 Patch 14
Severity Rating
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), these issues are rated HIGH.
Vulnerability Details
(CVE-2024-55579) QB-29918, QB-29750 Remote Code Execution (RCE) via Connectors
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 8.8 (High)
Unprivileged users with network access may be able to create connection objects that trigger the execution of arbitrary EXE files on Qlik Sense Enterprise for Windows.
(CVE-2024-55580) QB-29586, QB-29864, QB-30007, QB-29802 - Broken Access Control (BAC)
Severity: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 7.5 (High)
Unprivileged users with network access to Qlik Sense for Windows installation may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks.
Resolution
Recommendation
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- November 2024 Initial Release
- May 2024 Patch 10 or 11 (both valid)
- February 2024 Patch 14 or 15 (both valid)
- November 2023 Patch 16 or 17 (both valid)
- August 2023 Patch 16 or 17 (both valid)
- May 2023 Patch 18 or 19 (both valid)
- February 2023 Patch 15 or 16 (both valid)
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
