Qlik Sense Enterprise on Windows and the PostgreSQL CVE-2025-1094 vulnerability

Good day. 

I went through your article as well as logging a support call but how can we do the above if you are unable to unbundle the Repository Database? QPI does not run if your database is already on 14.8 especially with clients that has been installed recently as well as new clients. 

Will it be possible to provide guidance for databases that is unable to use QPI? 

Hello @Stephanus 

Does this help? How to manually upgrade the bundled Qlik Sense PostgreSQL version 

All the best,
Sonja 

Hi @Sonja_Bauernfeind 

Thanks for reaching out to me.

The article that you provided does not show a way to upgrade the bundled version using a higher version than 14.8. The article above is referring to that version having the vulnerability. 

The above is one of the scenarios that I have tested and you are still unable to upgrade 14.8 - 14.17 as it is still bundled and requires to be unbundled for the upgrade to occur in Postgres. Qlik November 2024 is still bundled with Postgres 14.8. I haven`t tested Feb 2025 as it is not out yet.    

Hello @Stephanus 

Let me reach out to my subject matter experts!

All the best,
Sonja 

Hello @Stephanus 

Thank you for your feedback! This was helpful since it allowed me to clarify the article better. And, yes, I did link the wrong article to you on the first pass. I misunderstood the request.

So, here is what your path should look like:

• You first need to switch to a standalone PostgreSQL instance. Now, if you cannot use QPI, the second method listed is what we have available: How to configure Qlik Sense to use a dedicated PostgreSQL database
• And from there on out you can continue with upgrading at your leisure: Qlik Sense Enterprise on Windows: How To Upgrade Standalone PostgreSQL

All the best,
Sonja 

Hello @Sonja_Bauernfeind

I am hoping that you can assist me with a question.

Postgres is part of Qlik, which is installed on our servers behind the Azure firewall. This vulnerability relates to Postgres which is installed on the Qlik server, as mentioned.

Our main question is whether this vulnerability can be exploited via the Qlik frontend, which we have exposed to the internet through port 443 for our customers to be able to access the dashboards, or if it applies only to customers who will have PostgreSQL publicly accessible?

@Marco-Silva our security team is still assessing this vulnerability and has not released any public statements or decisions at the time of this post. You can find details of the vulnerability posted by Postgres here

Limiting access to the backend is always the first step in security, though this again only limits access and does not resolve the vulnerability. There has been no confirmation that this vulnerability is exploitable through port 443, but as stated this is still being assessed and I would advise taking the steps above to adopt the released fix and remove any chance

Best Regards,
Nick

Hi Sonja

Thank you very much for the articles and this will be very insightful. 

Hello @Sonja_Bauernfeind,

will the bundled PostgreSQL Version be updated or patched via the regular QlikSense Updates at some point and if so, is there a timeline?  We would like to keep the bundled version.

Kind Regards

Matthias

Hi @Sonja_Bauernfeind 

I see that Feb 2025 is out. Does that installer still have Postgres 14.8 embedded?

If so it does mean that the new installer has the vulnerability embedded already which can cause an issue for new installs as the QPI does not works with version Nov 2023 or later