Skip to main content
Announcements
Customer Spotlight: Discover what’s possible with embedded analytics Oct. 16 at 10:00 AM ET: REGISTER NOW

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sebastian_Linser

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and CVE-2023-2455

Last Update:

May 31, 2023 5:35:57 AM

Updated By:

Sonja_Bauernfeind

Created date:

May 17, 2023 9:47:49 AM

PostgreSQL has identified two security issues. As Qlik Sense Enterprise on Windows relies on PostgreSQL for its repository, we want to provide you with steps on how to mitigate the vulnerabilities.

  • CVE-2023-2454

    This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.

  • CVE-2023-2455 

    While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

 

Resolution

With the next major Qlik Sense Enterprise on Windows release (August 2023), Qlik will update its bundled PostgreSQL database to the latest 14.x version.

As a mitigation for any previous releases, including May 2023, we offer the Qlik Postgres Installer (QPI) to migrate from 9.6 or 12.5 embedded databases to 14.8. We validated PostgreSQL 14.x for all releases back to February 2022.

Download the Qlik Postgres Installer versions 1.3.0 here.

There are two possible scenarios which may apply to you:

 

Scenario 1

Upgrading your PostgreSQL database for Qlik Sense February 2022 (or later) while not having used the QPI yet

Use the new Qlik Postgres Installer (version 1.3.0) to upgrade to Postgres 14.8 and migrate Postgres with QPI. Follow the instructions in Upgrading Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Download the Qlik Postgres Installer versions 1.3.0 here.

 

Scenario 2

Upgrading your PostgreSQL on February 2022 (or later) if you have already migrated to 12.x within QPI

If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release) and install it on top of your current 12.x database.

Steps:

  1. Download the latest PostgreSQL installer within the major release you have installed (Download PostgreSQL | Enterprisedb.com).

    Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.

  2. Stop the Qlik Sense services. Leave the postgresql-x64-12 service running. 

  3. Run the downloaded installer as an administrator.

  4. The installer will guide you through the upgrade procedure. 

  5. Start the Qlik Sense services.

 

Related Content

https://www.cybersecurity-help.cz/vdb/SB2023051138
Download PostgreSQL | Enterprisedb.com

 

Environment

Qlik Sense Enterprise on Windows all versions

Labels (1)
Comments
giociva
Partner - Creator
Partner - Creator

any update on NPrinting side? thanks.

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @giociva 

Starting from the next Qlik NPrinting service release (May 2023 SR1) the installed PostgreSQL version will be 13.11-2 instead of 13.8-1. We encourage you to upgrade Qlik NPrinting, as Qlik NPrinting upgrades its PostgreSQL version as well. 

All the best,
Sonja 

BoB_Qlik_Support
Contributor II
Contributor II

Hi @Sonja_Bauernfeind 

Can i restore 9.6 postgres repository on freshly installed qlik sense enterprise version Aug 2023 (which by defalut comes with postgres 14.5 version)

Regards

 

Sonja_Bauernfeind
Digital Support
Digital Support

@BoB_Qlik_Support This is possible, although an error may be logged (see Restoring your Qlik Sense site (How to manually upgrade the bundled Qlik Sense PostgreSQL version to....

All the best,
Sonja 

Version history
Last update:
‎2023-05-31 05:35 AM
Updated by: