Qlik Sense Enterprise on Windows and PostgreSQL vulnerability CVE-2024-7348 (pg_dump)

Affected versions:

• Qlik Sense Enterprise on Windows all versions, including November 2024

CVE-2024-7348 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in pg_dump, a utility used for backing up PostgreSQL databases. This vulnerability allows an attacker to replace a relation type (such as a table or sequence) with a view or foreign table right when pg_dump is running. Because pg_dump often runs with superuser privileges, this attack could execute arbitrary SQL code, leading to unauthorized actions or data corruption. Source: https://www.postgresql.org/support/security/CVE-2024-7348/

How does this vulnerability impact Qlik Sense Enterprise on Windows?

Qlik can confirm that pg_dump is not actively used in the Qlik Sense Enterprise on Windows code.

How to mitigate the vulnerability 

Both steps are required to fully mitigate the issue.

• Upgrade PostgreSQL. This requires a standalone instance of PostgreSQL. See Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer on how to unbundle PostgreSQL if necessary.

  Always verify compatibility between your Qlik Sense version and PostgreSQL before planning an upgrade.

• Delete the pg_dump.exe located in the default Qlik Sense Enterprise on Windows Postgresql install folder: C:\Program Files\Qlik\Sense\Repository\Postgresql\14\
  
  The updated pg_dump.exe in, for example, C:\program files\postgresql\14 does not need to be removed. 

Does the Qlik PostgreSQL Installer (QPI) use the pgdump.exe?

QPI does not utilise pgdump.exe.