Skip to main content

Qlik.com | Qlik Help | Resources

Ask a Question

Official Support Articles

Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.

Recent Documents

Sort By:

Official Support Articles

Qlik Cloud: Content restricted or unavailable with Embedded Analytics User role ...

The Embedded Analytics User role is a role available in Qlik Cloud for use cases where your users should not access the Qlik Cloud hub directly. If t... Show More
The Embedded Analytics User role is a role available in Qlik Cloud for use cases where your users should not access the Qlik Cloud hub directly.

If the role has been applied to a user, the user will be denied access to experiences other than a Qlik Sense app. Admin roles can still access the Qlik Management Console.

The users will see message:

Content restricted or unavailable
Either this content does not exist or access to view this content has been restricted by the tenant administrator.

Resolution

Remove the Embedded Analytics User role from the user if the user requires access to additional experiences.
1. Open the Qlik Cloud Management Console (https://<tenant>.<region>.qlikcloud.com/console)
2. Go to Users
3. Locate the user you need to modify and click the ellipses (...) menu
4. Click Edit roles
5. Scroll to the right, to Embedded Analytics User
6. Uncheck the role
As good practice, always test your configurations in a development/test instance before deploying access control changes to your product instance.

What is the Embedded Analytics User role?

The Embedded Analytics User role is the first deny role added to Qlik Cloud, and for all users, it will prevent access to experiences other than a Qlik Sense app. Admin roles can still access the Qlik Management Console.

Why limit the user interfaces that a user can access?

Qlik customers use Qlik Sense in their own web apps (also termed 'mashups') to:
- Customize the look and feel of their analytics for internal consumers (e.g. bring all analytics into a single portal for the whole organization)
- Embed analytics into business workflows & processes to bring the data to where their users do their work (e.g. bring customer data into salesforce)
- Introduce analytics to their products or services, to improve stickiness, value to the customer, etc (e.g. a solution provider building an ERP solution may embed analytics using Qlik Sense rather than building and maintaining their own analytics solution)
Imagine the customer develops an operations dashboard that pulls together analytics from multiple Qlik Sense apps, to support daily operations tasks in the portal:

A simple web app with embedded KPIs and line charts from several Qlik Sense apps

The Qlik customer intends all customers to access these analytics only as part of their portal. A savvy user, however, could determine the URL for the Qlik Cloud tenant, navigate to the tenant, and then either:
1. Access content they should not - for example, other vizualisations in the app that aren't embedded in the portal
2. See that it's Qlik that powers the portal behind the scenes, breaking their experience
3. Use a different route for accessing access other than the portal
The Embedded Analytics User role allows tenant administrators to specify users or groups who can only access direct Qlik Sense apps, or the management console (if they have an admin role). These users will receive an error when navigating to the tenant URL, with a page which provides no onward navigation elements.

For more information about the Embedded Analytics User role, see Permissions for embedded analytics users | Help.qlik.com.

If you'd like to learn about how to embed Qlik Cloud into your web apps, take a look at embedding on qlik.dev.
Show Less
By DaveChannon 2023-11-09 / 06:47 AM Updated : 2023-11-09 / 06:47 AM

1 1343
Official Support Articles

Vulnerability Concern: Username and password sent in plain text

A penetration test shows traffic traces between a client device and a server that reveals the user's credentials. This might be flagged as a potentia... Show More
A penetration test shows traffic traces between a client device and a server that reveals the user's credentials. This might be flagged as a potential risk for man-in-the-middle (MITM) attacks in a security report.

Below images show an example of a login request through Qlik Sense form login, where the HTTP request body contains the user's credentials in plain text.

Diagnosis

In this scenario, the end-user typically enters credentials into a form on a login page. The login form usually hides the password from plain sight by masking it on the screen, but the entries are still plain text.

The communication between the client browser and server should be secured and encrypted with HTTPS so that the plain text credentials and any other content are encrypted at all times during transport between the client device and server.

An attacker does not have the required certificates, and can therefore not decrypt intercepted HTTPS traffic and the server reveal the content.

This test result is a false-positive since the penetration tool, in this case, acts as the connecting and trusted client, and thereby decrypts the traffic and consequently can also display and analyze the traffic content.

Qlik Sense on Windows defaults to HTTPS. All communication is under TLS. When a user is attempted to log in, the web browser establishes a TLS connection with the server and is able to view requests in plain text (in the browser). This does not mean the request has gone out into the world without encryption. From the provided screenshots, the target URL is omitted. I'm unable to verify if the scheme in the browser is HTTP or HTTPS (as seen in the below screenshot)

A change to your environment would require you to communicate with your support in order to reset the proxy to the default configuration.
Solution

Enforce HTTPS on all access to the server-side.

Based on the above this is not deemed to be a security vulnerability by the SSO team. This has gone through other auditors and has never reported as a security concern.

References
- Wikipedia: Man-in-the-middle attack
  https://en.wikipedia.org/wiki/Man-in-the-middle_attack
- Wikipedia: False positives and false negatives
  https://en.wikipedia.org/wiki/False_positives_and_false_negatives
Show Less
By ToniKautto 2020-08-11 / 05:10 PM Updated : 2023-02-20 / 03:50 AM

9 3796
Official Support Articles

Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365)

Executive Summary A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully ex... Show More
Executive Summary

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE). This resolves an incomplete fix for CVE-2023-41265.

This issue was identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian.

Qlik has received reports that this vulnerability may be being used by malicious actors. Customers should confirm they have applied the necessary patches outlined in this bulletin. If there are additional questions, customers may log a case with Qlik Support.

Affected Software

All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
- August 2023 Patch 1
- May 2023 Patch 5
- February 2023 Patch 9
- November 2022 Patch 11
- August 2022 Patch 13
- May 2022 Patch 15
- February 2022 Patch 14
- November 2021 Patch 16
Severity Rating

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as critical.

Vulnerability Details

CVE-2023-48365 (QB-21683) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)

Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application. This resolves an incomplete fix for CVE-2023-41265.

Resolution

Recommendation

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- November 2023 IR
- August 2023 Patch 2
- May 2023 Patch 6
- February 2023 Patch 10
- November 2022 Patch 12
- August 2022 Patch 14
- May 2022 Patch 16
- February 2022 Patch 15
- November 2021 Patch 17
These patches include the fixes for previous issues CVE-2023-41266 and CVE-2023-41265 (link).

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

Edit December 1st, 2023: Added November 2023 IR release to clarify it is not affected
Show Less
By Sonja_Bauernfeind 2023-09-20 / 10:24 AM Updated : 2023-12-01 / 09:03 AM

1 15659
Official Support Articles

Qlik Security Vulnerability Policy

Does Qlik have a defined security policy?Qlik takes the security of our products seriously. We have a dedicated team of security experts working on t... Show More
Does Qlik have a defined security policy?

Qlik takes the security of our products seriously. We have a dedicated team of security experts working on testing, hardening and securing our products. We also work closely with external security companies, our customers and partners to ensure the security of our products is of the highest standard.

Our Qlik Trust and Compliance Center provides details for compliance and security questions across all Qlik products.

What do I do if I find a security vulnerability in a Qlik product?

Please report any security vulnerability concern to Qlik Support. For an accurate an detailed evaluation of a potential security vulnerability, it is important to clear describe the scenario in which a vulnerability has been exposed. This includes describing the steps for how security is compromised and what detail can be exposed by an attacker.

Notice, that generic test reports from 3rd auditing tools typically do not include detailed steps of vulnerability exposure in their security report. These reports commonly referring to potential risk based patterns, they do not actually expose a vulnerability as part of their system evaluation. Consequently this means that the default report details are not enough for Qlik to take any immediate action on based on the raised concern. Please consult 3rd party security auditor or local security expert for complete test case details before reporting support case with Qlik.

To enable qualified and efficient investigation and action by Qlik, please report each vulnerability concern as an individual support case with Qlik Support. This means that each concern raised in a 3rd party test report must be reported as a separate support case.

For each case consider adding as much detail as possible, in line with below items:
- Qlik product name
- Qlik product version
- Test case subject/name (if based on test report)
- Complete penetration test report (attach full report for reference)
- Name of security tool used for testing
- Details of how to replicate the vulnerability
  - Step by step description on how to expose vulnerability
  - Recording of reproduction
  - Supporting material, e.g. logs, traffic traces or screenshots
- Vulnerability impact
  - Type of information exposed
  - Unauthorized access to content
- CVSS score if provided by security auditor
Show Less
By Sonja_Bauernfeind 2015-08-28 / 03:00 AM Updated : 2022-11-10 / 03:15 AM

6 11244
Official Support Articles

Qlik Sense Enterprise on Windows: PostgreSQL vulnerabilities CVE-2023-2454 and C...

PostgreSQL has identified two security issues. As Qlik Sense Enterprise on Windows relies on PostgreSQL for its repository, we want to provide you wit... Show More
PostgreSQL has identified two security issues. As Qlik Sense Enterprise on Windows relies on PostgreSQL for its repository, we want to provide you with steps on how to mitigate the vulnerabilities.
- CVE-2023-2454
  
  This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.
- CVE-2023-2455
  
  While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Resolution

With the next major Qlik Sense Enterprise on Windows release (August 2023), Qlik will update its bundled PostgreSQL database to the latest 14.x version.

As a mitigation for any previous releases, including May 2023, we offer the Qlik Postgres Installer (QPI) to migrate from 9.6 or 12.5 embedded databases to 14.8. We validated PostgreSQL 14.x for all releases back to February 2022.

Download the Qlik Postgres Installer versions 1.3.0 here.

There are two possible scenarios which may apply to you:

Scenario 1

Upgrading your PostgreSQL database for Qlik Sense February 2022 (or later) while not having used the QPI yet

Use the new Qlik Postgres Installer (version 1.3.0) to upgrade to Postgres 14.8 and migrate Postgres with QPI. Follow the instructions in Upgrading Qlik Sense Repository Database using the Qlik PostgreSQL Installer.

Download the Qlik Postgres Installer versions 1.3.0 here.

Scenario 2

Upgrading your PostgreSQL on February 2022 (or later) if you have already migrated to 12.x within QPI

If you have previously used the Qlik Postgres Installer (version 1.2.1 or earlier), you can simply install the latest PostgreSQL version (within your major release) and install it on top of your current 12.x database.

Steps:
1. Download the latest PostgreSQL installer within the major release you have installed (Download PostgreSQL | Enterprisedb.com).
  
  Example: You have used the old QPI to upgrade to 12.5. You can now easily upgrade to a later version in the same major release, such as 12.15.
2. Stop the Qlik Sense services. Leave the postgresql-x64-12 service running.
3. Run the downloaded installer as an administrator.
4. The installer will guide you through the upgrade procedure.
5. Start the Qlik Sense services.
Related Content

https://www.cybersecurity-help.cz/vdb/SB2023051138
Download PostgreSQL | Enterprisedb.com

Environment

Qlik Sense Enterprise on Windows all versions
Show Less
By Sebastian_Linser 2023-05-17 / 09:47 AM Updated : 2023-05-31 / 05:35 AM

14 3927
Official Support Articles

Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, C...

Executive Summary Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilitie... Show More
Executive Summary

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).

These issues were identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian.

Qlik has received reports that this vulnerability may be being used by malicious actors. Customers should confirm they have applied the necessary patches outlined in this bulletin. If there are additional questions, customers may log a case with Qlik Support.

Affected Software

All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
- May 2023 Patch 3
- February 2023 Patch 7
- November 2022 Patch 10
- August 2022 Patch 12
Severity Rating

Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates one as high severity and one as critical.

Vulnerability Details

CVE-2023-41266 (QB-21220) Path traversal in Qlik Sense Enterprise for Windows

Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High)

Due to improper validation of user supplied input, it is possible for an unauthenticated remote attacker to generate an anonymous session which allows them to perform HTTP requests to unauthorized endpoints.

CVE-2023-41265 (QB-21222) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows

Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)

Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application.

Resolution

Recommendation

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- August 2023 Initial Release
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 11
- August 2022 Patch 13
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
Show Less
By Sonja_Bauernfeind 2023-08-29 / 09:14 AM Updated : 2023-12-05 / 03:22 AM

1 29668
Official Support Articles

Qlik Sense Enterprise on Windows: Cross Site Scripting (XSS) protection HTTP hea...

Content-Security-Policy (current) or X-XSS-Protection (outdated) headers are not set by default after installing Qlik Sense Enterprise on Windows. Wh... Show More

Content-Security-Policy (current) or X-XSS-Protection (outdated) headers are not set by default after installing Qlik Sense Enterprise on Windows.

While potentially great for improving site security, Qlik has no authority over the environment Qlik Sense is deployed in. If the specific custom header or other headers are deemed necessary, they can be added to the virtual proxy from the Qlik Sense Enterprise Management panel. See Qlik Sense for Administrators: Virtual Proxies.

Related Content

Qlik Sense Enterprise on Windows: Securing and Hardening Server
Show Less

By Sonja_Bauernfeind 2023-08-07 / 06:36 AM Updated : 2023-08-07 / 06:36 AM

0 198
Official Support Articles

Qlik Sense Enterprise on Windows: Information Leak in /api/about/v1/thirdParty

Security vulnerability scan report may refer to "System Information Leak" in the response from the About Service API end-point /api/about/v1/thirdPart... Show More

Security vulnerability scan report may refer to "System Information Leak" in the response from the About Service API end-point /api/about/v1/thirdParty.

This API returns a list of third-party software that is installed in the product. Details include information about copyright, version, licensing, and legal notices.

The disclaimer text of some third-party components may include IP address references. These references come from the third-party provider's disclaimer or open-source license details. The IP address references do not refer to details from the installed environment.

For example, an internal IP address (10.x.x.x) is referred to in the disclaimer text for the Torch Cephes Math Library. This reference is part of the library's open-source license https://github.com/deepmind/torch-cephes/blob/master/LICENSE.txt.

Resolution

Third-party software details contain disclaimer text as required for the third-party software provider.
IP references in third-party software disclaimers can be considered false-positive test results.

Qlik can not alter the third-party vendor disclaimers.

Related Content

Third Party: Get | Qlik Sense for developers Help
False Positive

Environment

Qlik Sense Enterprise on Windows
Show Less

By ToniKautto 2023-08-02 / 03:55 PM Updated : 2023-08-03 / 02:10 AM

0 151
Official Support Articles

Multi-Factor Authentication Not supported in QlikView

QlikView is an identity consumer, not an authentication provider. Based on this premise, QlikView cannot support Multi-Factor Authentication. If the i... Show More

QlikView is an identity consumer, not an authentication provider. Based on this premise, QlikView cannot support Multi-Factor Authentication.

If the identity provider can pass the identity to QlikView in a manner it can consume after it's authenticated, then it would work. Still, it is a matter of sending an identity in a format QlikView can consume.

As such, MFA (Multi-Factor Authentication) is not supported.

Qlik Cloud and Qlik Sense Enterprise on Windows support Multi-Factor Authentication.

Related Content:

Qlik Cloud: Configuring Multi-Factor Authentication (MFA)
Qlik Sense Enterprise on Windows: Authentication solutions

Show Less

By Lucas_Gatling 2023-05-11 / 04:24 AM Updated : 2023-05-11 / 04:24 AM

0 256
Official Support Articles

Change QlikView Services communication from Windows Group Authentication to Cert...

The QlikView Services communication can be changed from the traditional Windows Group Authentication to Certificate Trust. For basic instructions, s... Show More
The QlikView Services communication can be changed from the traditional Windows Group Authentication to Certificate Trust.

For basic instructions, see Configuring servers with digital certificates.

If the services need to be manually reconfigured, each service needs to have its configuration files modified.
1. Stop all Services.
2. Change the “UseWinAuthentication” entry from “true” to “false” in the following files:
  
  C:\Program Files\QlikView\Management Service\QVManagementService.exe.config
  
  C:\Program Files\QlikView\Directory ServiceConnector\QVDirectoryServiceConnector.exe.config
  
  C:\Program Files\QlikView\Distribution Service\QVDistributionService.exe.config
  
  If using QlikView WebServer, C:\Program Files\QlikView\Server\Web Server\QVWebServer.exe.config
  
  If using IIS, the 2 following files: C:\Program Files\QlikView\Server\Web Server Settings\QVWebServerSettingsService.exe.config and C:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax\web.config
3. Open the C:\ProgramData\QlikTech\QlikViewServer\Settings.ini file in Notepad and add EnableSSL=1 or change the 0 to a 1 in the [Settings 7] section. Make sure its the first entry after save and close the file.
4. (For 12.50 and later:) Open the C:\Program Files\QlikView\ServiceDispatcher\services.conf file.
  Change from -qv-auth-mode=ntlm to -qv-auth-mode=cert
5. Start up the services in the the following order:
  
  Qlikview Management Service, check if the certificates are getting generated under C:\ProgramData\QlikTech\LicenseService\Exported Certificates\ those are needed for the License Service
  
  Start the Qlikview Service Dispatcher Service
  
  Start all the other services any order.
6. An additional step is necessary. Services will fail to start due to undecryptable data at first. At start-up, each service validates all its encrypted data entries to ensure they are accessible. If the service encounters data that cannot be decrypted, it reports an error and stops execution.
  
  Erase corrupted data by temporarily enabling the hidden configuration EraseUndecryptableData flag.
  
  In each of the above-mentioned configuration files (except the QlikView Server settings.ini), add the EraseUndecryptableData entry and set it to true.
  
  Example:
  <add key="UseWinAuthentication" value="true"></add> <add key="EraseUndecryptableData" value="true"></add>
7. Start each service (QlikView Management Service, Distribution Service, Directory Service Connector, WebServer Service) once.
8. Stop the service again, open the configuration file and remove the EraseUndecryptableData entry.
9. Save the file.
10. Restart the services one by one.
Environment:

QlikView
Show Less
By Sebastian_Linser 2022-04-29 / 05:10 AM Updated : 2023-04-26 / 02:51 AM

3 389
Official Support Articles

Qlik NPrinting and CVE-2022-37026 (Erlang version)

To address CVE-2022-37026, upgrade Qlik NPrinting to any version past May 2022 SR3. Environment Qlik NPrinting Internal Investigation ID(s) 000616... Show More

To address CVE-2022-37026, upgrade Qlik NPrinting to any version past May 2022 SR3.

Environment

Qlik NPrinting

Internal Investigation ID(s)

00061646
Show Less

By Sonja_Bauernfeind 2023-04-24 / 04:00 AM Updated : 2023-04-24 / 04:00 AM

0 373
Official Support Articles

Qlik Sense Enterprise on Windows: Compatibility information for third-party SSL ...

A third-party certificate was configured in the Qlik Sense Proxy, but is not being used. The connection is not private" NET::ERR_CERT_COMMON_NAME_INVA... Show More
A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.

The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access.

Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console. It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer).

If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:

Example: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt

No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser

Resolution:

In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:

Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.

Certificates that are known to work well with Qlik Sense have the following attributes:
- Certificates that are x509 version 3. More information including filename extensions under https://en.wikipedia.org/wiki/X.509
- Use signature algorithm sha256RSA
- Use signature hash algorithm sha256
- Signed by a valid, and OS/browser configured , CA
- Are valid according to date restrictions (valid from/valid to)
- Key in format CryptoAPI (not in CNG)
- The certificate itself has to contain private key no matter what Qlik Sense version.
Related Content:

How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate

Show Less
By Mario_Petre 2017-04-26 / 06:53 AM Updated : 2023-02-21 / 07:18 AM

6 21224
Official Support Articles

Question regarding Qlik Replicate and a Java SE Vulnerability

It was reported that Qlik Replicate May 2022 (2022.5.0.291) version reports a Java SE vulnerability: Plugin Output: Path : /opt/attun... Show More
It was reported that Qlik Replicate May 2022 (2022.5.0.291) version reports a Java SE vulnerability:

Plugin Output: Path : /opt/attunity/replicate/jvm/ Installed version : 11.0.14 Fixed version : Upgrade to version 11.0.16 or greater CVE-2022-21426,CVE-2022-21434,CVE-2022-21443,CVE-2022-21449,CVE-2022-21476,CVE-2022-21496 CVE-2022-21540,CVE-2022-21541,CVE-2022-21549,CVE-2022-25647,CVE-2022-34169

Environment
- Qlik Replicate version May 2022
- Linux
Resolution

Qlik Data Integration products use JVM version 11 for QEM/Replicate and also JVM version 8 for Compose.

There is no need to patch Qlik Replicate itself.

To address the security report, you can independently upgrade Java SE to 11.0.17 on the server Qlik Replicate is running on.

Internal Investigation ID(s)

7345
Show Less
By Dana_Baldwin 2023-02-08 / 01:57 PM Updated : 2023-02-10 / 07:31 AM

0 509
Official Support Articles

Are Qlik Replicate Instances non-PCI Compliant?

A security scan may report that Qlik Replicate instances are non-PCI compliant due to weak SSL ciphers on ports 443, 3389 and 3552. Out of these ports... Show More
A security scan may report that Qlik Replicate instances are non-PCI compliant due to weak SSL ciphers on ports 443, 3389 and 3552.

Out of these ports, 443 and 3552 are used by Qlik. Port 3389 is RDP.

Environment
- Qlik Replicate
- Windows
Resolution

The security of Qlik products does not depend only on the Qlik software. It also relies on the security of the environment that, in this case, Qlik Replicate operates in. This means that the security of, for example, the operating system and the cryptographic protocols (such as TLS/SSL) has to be set up and configured to provide the security needed for Qlik Replicate.

Qlik cannot offer advice on how to configure Windows to disable certain ciphers which customer security guidelines forbid.

For information on how to mitigate these reports, please see: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings.

Lucky 13 and Sweet 32 are the versions which are not compliant for port 3552.

Luck-13 (https://crashtest-security.com/prevent-ssl-lucky13/) and Sweet-32 (https://crashtest-security.com/prevent-ssl-sweet32/) are not versions, nor are they ciphers that Replicate uses on port 3552. Those are old vulnerabilities (5Y+) that are either mitigated in the version of OpenSSL currently used in Qlik Replicate (with its cipher selection) or is otherwise impractical or irrelevant in the way Qlik Replicate works.
Show Less
By Dana_Baldwin 2023-02-08 / 01:27 PM Updated : 2023-02-10 / 07:38 AM

0 209
Official Support Articles

Server Information In HTTP Header - Microsoft-HTTPAPI/2.0

HTTP Response Header exposes Microsoft-HTTPAPI/2.0 as the server source. An attacker could use this information to expose known vulnerabilities for th... Show More
HTTP Response Header exposes Microsoft-HTTPAPI/2.0 as the server source. An attacker could use this information to expose known vulnerabilities for the server source.

Resolution

This header is included in the HTTP header by .NET framework, which means it can not be directly controlled by Qlik software.
The header is only added in Qlik software that runs in Windows environment, for example Qlik Sense Enterprise for Windows and QlikView Web Server.

There are two main approaches to removing this HTTP header;
1. Disable the server header for WCF Services in the Windows registry, as described in https://blogs.msdn.microsoft.com/dsnotes/2017/12/18/wswcf-remove-server-header/
2. Suppress the HTTP header through a reverse proxy if this exists in front of Qlik Sense in the current deployment. For option details on this option, consult reverse proxy documentation. If you require assistance implementing the solution, our professional services are happy to be engaged.
Environment

Qlik Sense Enterprise on Windows, all version
QlikView, all versions
Qlik NPrinting, all versions

Internal Investigation IDs:
- QLIK-90522
Show Less
By Sonja_Bauernfeind 2018-09-05 / 10:11 PM Updated : 2023-02-06 / 02:22 AM

2 7971
Official Support Articles

Mitigating against clickjacking in Qlik Sense and QlikView, X-FRAME Options in r...

Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a b... Show More
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. (source)

In Qlik Sense and QlikView, using the default setup, it is possible to embed a Qlik Sense site or a QlikView App into an iframe external to the site and, potentially, capture credentials.

The main defence against this potential vulnerability is to set the X-Frame-Options Response Headers in the requests. This governs whether a browser should or should not render a page inside an iFrame.

There are a handful of values that can be configured. The support for those dependent on the web browser, so do investigate the type of X-Frame-Option that you are setting.

Qlik Sense

To mitigate against this you need to specify the X-Frame-Options. Possible values are “DENY”, “SAMEORIGIN” or “ALLOW-FROM”. See Clickjacking Defense Cheat Sheet.
1. Open the Qlik Sense Management Console
2. Navigate to the Virtual Proxy used in the implementation
3. Click Edit
4. Select Advanced in the right-hand side menu
5. Locate Additional response headers
6. Add: X-Frame-Options: SAMEORIGIN
QlikView

QlikView allows for the use of custom headers (much like Qlik Sense) natively beginning with the 12.30 release.

See QlikView WebServer: Custom HTTP Header.

You can also implement them using IIS if IIS is being used as the web server: Setting Custom HTTP Headers in IIS for QlikView.

Related Content

Qlik Sense: using " X-Frame-Options: ALLOW-FROM" limitation

How to allow Qlik Sense to be embedding in an iFrame only from specific websites

Environment

QlikView
Qlik Sense Enterprise on Windows
Show Less
By Andre_Sostizzo 2016-07-20 / 05:21 PM Updated : 2022-11-14 / 06:09 AM

5 3321
Official Support Articles

Qlik and OpenSSL vulnerability CVE-2022-3996

Are Qlik products affected by OpenSSL vulnerability CVE-2022-3996? No, Qlik Products do not use the versions impacted by this vulnerability and are th... Show More

Are Qlik products affected by OpenSSL vulnerability CVE-2022-3996?

No, Qlik Products do not use the versions impacted by this vulnerability and are therefore not affected by it.

Show Less

By Damien_Villaret 2022-12-22 / 09:46 PM Updated : 2022-12-29 / 02:02 AM

0 393
Official Support Articles

Attacker can upload a malicious file in the application with a double extension ...

How to mitigate if an attacker uploads a malicious file in the application with a double extension in Qlik Sense? The XML files can be used for data i... Show More
How to mitigate if an attacker uploads a malicious file in the application with a double extension in Qlik Sense?

The XML files can be used for data ingestion. By default XML is disabled, but we do provide the ability to allow list XML as a data type.

Uploading an XML with Javascript (XSS) will allow a malicious user to run code in the context of the targeted user's session.

Environment

Qlik Sense Enterprise on Windows February 2022 and previous versions.

Resolution

Add the following flag in the "C:\Program Files\Qlik\Sense\Repository\Repository.exe.conf" file,
```

<add key="ScanXmlFileForScripts" value="true" />
```
Upon detecting the script within the XML file, the User will be warned that the file can not be uploaded.

Or the below error based on the Qlik Sense version,

Fix Version:

Qlik Sense Enterprise on Windows May 2022.

From Qlik Sense May 2022 and onwards, The Qlik Sense Repository Service scans for script tags in XML files uploaded to AppContent or Content Library.
- Uploading objects to content libraries
- Uploading an image to the app content folder
Cause
- QB-1693
- QB-8378
- QB-11820
To allowlist XML files in Qlik Sense May 2022 and later versions, please contact the Qlik Support Team via Live chat or Submit a case!

Show Less
By Rakesh_Basappa 2022-11-30 / 10:12 AM Updated : 2022-11-30 / 10:13 AM

0 262
Official Support Articles

Qlik Sense on Windows: Setup Database Traffic Encryption

Disclaimer: Encrypted communication between PostgreSQL database and Qlik Sense services is a supported setup. This article provides general guidance o... Show More
Disclaimer: Encrypted communication between PostgreSQL database and Qlik Sense services is a supported setup. This article provides general guidance on how to enable encryption on PostgreSQL database server, but local adjustment must be applied to comply with local IT requirements. Please be aware that Qlik Support can not help setting up Database Traffic Encryption, while Qlik Consulting Services may be utilized for deployment implementation.

Qlik Sense supports database traffic encryption using SSL/TLS, but it is not enabled by default. The Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. When SSL encryption is enabled, the installer does not recognize any already installed PostgreSQL databases, and as a consequence, installation cannot be completed. Password security and local IT policy around certificate need to be considered before enabling database encryption, as the implementation includes manual configuration of the Qlik Sense deployment.

Qlik recommends that the configuration in this section is performed by someone with sufficient skills in PostgreSQL database configuration.

This article covers two scenarios for enabling Database Traffic Encryption;
1. PostgreSQL database installed locally with the Qlik Sense installer
2. Qlik Sense referred to the existing database during the installation
Upgrades: Prior to Qlik Sense Enterprise August 2022 release, the Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. So any upgrades will fail unless you are upgrading to August 2022 and later. Prior to upgrading, disable the encryption. You can enable it again after the upgrade is complete.

See Unable to upgrade Qlik Sense with missing 'SenseServices', 'QSMQ', and 'Licenses' database for respective capabilities.

Always take a complete backup of Qlik Sense deployment before altering system configuration, to allow restoring a working state in case of disaster.

These scenarios apply the default Qlik Sense signed certificate to encrypt traffic for a PostgreSQL database. Qlik Sense signed certificate is commonly only fully trusted by Qlik Sense nodes, which means other usage may not comply with local IT policies. It is recommended that a fully trusted certificate is used when applying encrypted database traffic for production environments. Consult the local IT department for details on retrieving a fully trusted certificate.

Scenario 1: PostgreSQL database installed locally with the Qlik Sense installer

This scenario assumes a standard Qlik Sense installation, where the Qlik Sense Repository Database is installed on the Qlik Sense central node as part of the Qlik Sense installation.
1. Complete installation of Qlik Sense Enterprise on Windows as described in Qlik Sense Help for Administrators: Installing Qlik Sense Enterprise on Windows.
2. Enable encryption as described in Qlik Sense Help for Administrators: Database traffic encryption
Scenario 2: Qlik Sense referred to the existing database during the installation

This scenario assumes a custom Qlik Sense installation, where Qlik Sense is configured to use a dedicated PostgreSQL database as its Repository Database.
1. Install and configure a standalone PostgreSQL database server as described in Qlik Sense Help for Administrators: Installing and configuring PostgreSQL
2. Install Qlik Sense central node connected to an existing repository database as described in Qlik Sense Help for Administrators: Installing Qlik Sense on a single node
3. Install Qlik Sense rim nodes if required as described in Qlik Sense Help for Administrators: Installing Qlik Sense in a multi-node site
4. Enable encryption PostgreSQL database and all Qlik Sense nodes as described in Qlik Sense Help for Administrators: Database traffic encryption
Show Less
By Bastien_Laugiero 2018-02-05 / 03:36 AM Updated : 2022-11-14 / 03:50 AM

7 3450
Official Support Articles

Qlik Replicate and CVE-2022-42889 Vulnerability

The vulnerability listed for CVE-2022-42889 is isolated ONLY to the Qlik Replicate Salesforce Incremental Load Endpoint. Any other supported endpoint... Show More

The vulnerability listed for CVE-2022-42889 is isolated ONLY to the Qlik Replicate Salesforce Incremental Load Endpoint.

Any other supported endpoints are not affected.

For more information on CVE-2022-42889, see: https://sysdig.com/blog/cve-2022-42889-text4shell/

Environment

Qlik Replicate

Expected behavior:

The Custom Endpoints SDK should use a released version of Apache Commons Text >= 1.10.0 that addresses the vulnerability.

Actual behavior:

The Custom Endpoints SDK uses a released version of Apache Commons Text < 1.10.0.

Defect:

RECOB- 6171

The issue will be fixed in our next Qlik Replicate future release. Please refer to the Qlik Replicate Release notes for details.

Customers who are not using the Qlik Replicate “Salesforce Incremental Load Endpoint” endpoint can delete the salesforce-source-endpoint.jar so it does not come up in scans.

Please note the Qlik Compose and Enterprise Manager are not vulnerable.

Show Less

By Nanda_Ravindra 2022-11-01 / 06:30 AM Updated : 2022-11-01 / 06:30 AM

0 224

Subscribe by Topic