Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Sebastian_Linser · May 31, 2023 5:35:57 AM

PostgreSQL has identified two security issues. As Qlik Sense Enterprise on Windows relies on PostgreSQL for its repository, we want to provide you with steps on how to mitigate the vulnerabilities.

CVE-2023-2454

This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
CVE-2023-2455

While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Resolution

With the next major Qlik Sense Enterprise on Windows release (August 2023), Qlik will update its bundled PostgreSQL database to the latest 14.x version.

As a mitigation for any previous releases, including May 2023, we offer the Qlik Postgres Installer (QPI) to migrate from 9.6 or 12.5 embedded databases to 14.8. We validated PostgreSQL 14.x for all releases back to February 2022.

Download the Qlik Postgres Installer versions 1.3.0 here.

There are two possible scenarios which may apply to you:

Scenario 1

Upgrading your PostgreSQL database for Qlik Sense February 2022 (or later) while not having used the QPI yet

Use the new Qlik Postgres Installer (version 1.3.0) to upgrade to Postgres 14.8 and migrate Postgres with QPI. Follow the instructions in Upgrading Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Download the Qlik Postgres Installer versions 1.3.0 here.

Scenario 2

Upgrading your PostgreSQL on February 2022 (or later) if you have already migrated to 12.x within QPI

If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release) and install it on top of your current 12.x database.

Steps:

Download the latest PostgreSQL installer within the major release you have installed (Download PostgreSQL | Enterprisedb.com).

Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.
Stop the Qlik Sense services. Leave the postgresql-x64-12 service running.
Run the downloaded installer as an administrator.
The installer will guide you through the upgrade procedure.
Start the Qlik Sense services.

Related Content

https://www.cybersecurity-help.cz/vdb/SB2023051138
Download PostgreSQL | Enterprisedb.com

Environment

Qlik Sense Enterprise on Windows all versions

jchoucq · ‎2023-05-22

hi @Sebastian_Linser

thank you for this message.

With both scenario, at the end, we do not have Qlik Sense Repository Database service anymore.

as a Scenario 3, will it be possible, to wait untill August 2023 and then, make a backup of certificates and database, unisntall qlik sense, install the brand new version with postgres 14.8 and then restore ?

Or do you think, it will be a better solution, for the future to have postgresql-x64-12 service running ?

Have a good week

Johann

Sonja_Bauernfeind · ‎2023-05-22

Hello @jchoucq

Qlik is providing you with the means to mitigate the vulnerability identified by Postgre. It is up to you whether you are willing to accept the risks and wait, though we will always recommend doing so as soon as possible. The choice is yours, however.

All the best,
Sonja

jchoucq · ‎2023-05-22

Thanks @Sonja_Bauernfeind

I do agree with what you said.

But for my experience, in 2 different environments, QPI failed, and we had to upgrade from 9.6 to 12.50 manually (bakup and restore) with the advantage, however, of keeping the same old configuration, with Qlik Sense Repository Database Service.

For the moment, it won't be possible, until Qlik Sense August 2023 is released.

All the best,
Johann

giociva · ‎2023-05-22

Thanks would this impact NPrinting in some way too?

Thanks,

Sonja_Bauernfeind · ‎2023-05-23

Hello @giociva

Our Qlik NPrinting team is currently actively reviewing this.

All the best,
Sonja

jchoucq · ‎2023-06-15

Hi,

in a scenario where we already used QPI to migrate postgresql from 9.6 to 12.5, will it be possible to upgrade to postgresql 14.8 ?

Thanks a lot and have a good day.

Joh

Sebastian_Linser · ‎2023-06-16

@jchoucq not with the tool, but I will soon have a manual way done for you.

jchoucq · ‎2023-06-16

Sounds great to hear, thank you very much @Sebastian_Linser

ChristiW · ‎2023-06-16

We followed Scenario 2 (v12.5 to v12.15) and while there were no errors during the upgrade, after finished we could not access Qlik Sense (Feb 2023 SR 5) Hub or QMC. I am planning on submitting a ticket, but first wanted to ask if anyone else has run into this problem?

Sonja_Bauernfeind · ‎2023-06-19

Hello @ChristiW

I recommend a support ticket so that we can assist you directly.

All the best,
Sonja

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455