Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
ALERT: QlikView server communication interruptions following Microsoft Windows Domain Controller security updates

Qlik Sense Enterprise on Windows and PostgreSQL vulnerability CVE-2024-7348 (pg_dump)

50% helpful (1/2)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sebastian_Linser
Support
Support

Qlik Sense Enterprise on Windows and PostgreSQL vulnerability CVE-2024-7348 (pg_dump)

Last Update:

May 9, 2025 6:55:01 AM

Updated By:

Sonja_Bauernfeind

Created date:

Dec 10, 2024 11:06:21 AM

Affected versions:

  • Qlik Sense Enterprise on Windows all versions, including November 2024

 

CVE-2024-7348 is a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in pg_dump, a utility used for backing up PostgreSQL databases. This vulnerability allows an attacker to replace a relation type (such as a table or sequence) with a view or foreign table right when pg_dump is running. Because pg_dump often runs with superuser privileges, this attack could execute arbitrary SQL code, leading to unauthorized actions or data corruption. Source: https://www.postgresql.org/support/security/CVE-2024-7348/

 

How does this vulnerability impact Qlik Sense Enterprise on Windows?

Qlik can confirm that pg_dump is not actively used in the Qlik Sense Enterprise on Windows code.

 

How to mitigate the vulnerability 

Upgrade to Qlik Sense Enterprise on Windows May 2025 IR

Qlik Sense Enterprise on Windows May 2025 IR includes PostgreSQL 14.17 in its installer. See the System Requirements for details.

If upgrading Qlik Sense is not possible, manually upgrade PostgreSQL

Both steps are required to fully mitigate the issue.

  • Upgrade PostgreSQL. This requires a standalone instance of PostgreSQL. See Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer on how to unbundle PostgreSQL if necessary.
    Always verify compatibility between your Qlik Sense version and PostgreSQL before planning an upgrade.
  • Delete the pg_dump.exe located in the default Qlik Sense Enterprise on Windows Postgresql install folder: C:\Program Files\Qlik\Sense\Repository\Postgresql\14\
    The file will be recreated after an upgrade. This step will need to be repeated after each Qlik Sense upgrade. Qlik is actively investigating the removal of pg_dump from future installers (SHEND-2041).
    The updated pg_dump.exe in, for example, C:\program files\postgresql\14 does not need to be removed.

 

Does the Qlik PostgreSQL Installer (QPI) use the pgdump.exe?

QPI does not utilise pgdump.exe.

 

Internal Investigation ID(s)

  • QB-28706
  • SHEND-2041
Labels (1)
Labels:
8,090 Views
Was this article helpful? Yes No
Comments
dennemanr
Contributor II
Contributor II
‎2024-12-11 03:12 AM

The link under Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer does not work.

Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-12-11 03:38 AM

@dennemanr Fixed!

sis
Partner - Specialist II
Partner - Specialist II
‎2024-12-18 02:11 AM

@Sonja_Bauernfeind , @Sebastian_Linser 

>The updated pg_dump.exe in, for example, C:\program files\postgresql\14 does not need to be removed.

Regarding the above, am I correct in my understanding that if a fixed version (14.13 or later) is manually installed, it does not need to be removed?

Also, if I have manually installed PostgresSQL, but I have a version prior to the fixed version, is it correct to recognize that you need to take action?

sis
Partner - Specialist II
Partner - Specialist II
‎2024-12-22 09:36 PM

@Sonja_Bauernfeind , @Sebastian_Linser 

What is the status of the investigation regarding my question?
I'm sorry for your inconvenience, but thank you for your response.

Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-12-23 01:56 AM

Hello @sis 

Both steps are required. Your Standalone PostgreSQL instance will have the file stored (for example) here: C:\program files\postgresql\14

While the Qlik copy of the file is here: C:\Program Files\Qlik\Sense\Repository\Postgresql\14\ (this is the one which needs to be deleted as it will be version 14).

All the best,
Sonja

sis
Partner - Specialist II
Partner - Specialist II
‎2024-12-23 02:43 AM

@Sonja_Bauernfeind 

Thanks for answering my question.

I understand that both steps are required after the PostgreSQL upgrade.
(I don't delete files stored by a standalone PostgreSQL instance.
 I delete the following files:C:\Program Files\Qlik\Sense\Repository\Postgresql\14)

If I installed fixed version (14.13 or later) before installing Qlik Sense, it doesn't fall under this vulnerability, and therefore no action is required in that case?

Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-12-23 03:01 AM

Hello @sis 

I have forwarded this question. But please note that resources are currently not as readily available and a support case may be the easiest way to keep your question tracked.

All the best,
Sonja 

Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-12-23 06:30 AM

@sis To confirm:

The embedded binaries are always installed. Even if you have, from the start, chosen to use a standalone PostgreSQL instance.

All the best,
Sonja

sis
Partner - Specialist II
Partner - Specialist II
‎2024-12-23 09:20 PM

@Sonja_Bauernfeind 

Thanks for the info.

>Even if you have, from the start, chosen to use a standalone PostgreSQL instance.

In the above case, in the section 'How to mitigate vulnerabilities' in this article, is it sufficient to just delete the Postgresql installation folder (C:Program FilesQlikSenseRepositoryPostgresql14) without performing an upgrade?

I'm wondering if I can consider the upgrade to be already completed.

Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-12-27 02:59 AM

Hello @sis 

This is not a question I can answer myself. I will forward this one as well, but as before: resources are currently not as readily available so it may take time before we are able to get back to you.

All the best,
Sonja

Version history
Last update:
‎2025-05-09 06:55 AM
Updated by:
Digital Support