Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Search our knowledge base, curated by global Support, for answers ranging from account questions to troubleshooting error messages.
Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE).
This issue was discovered by Qlik during internal security testing and no reports of it being maliciously exploited have been received.
All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), these issues are rated HIGH.
(CVE-pending) QB-29918, QB-29750 Remote Code Execution (RCE) via Connectors
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 8.8 (High)
Unprivileged users with network access may be able to create connection objects that trigger the execution of arbitrary EXE files on Qlik Sense Enterprise for Windows.
(CVE-pending) QB-29586, QB-29864, QB-29482, QB-29802 - Broken Access Control (BAC)
Severity: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 7.5 (High)
Unprivileged users with network access to Qlik Sense for Windows installation may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks.
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
A workaround is available to address the complications affecting extension and invalid visualization errors. This workaround can be applied before or after the upgrade. It has been tested successfully on all patches released on December 4th. The November 2024 release is not affected by the issue.
Does NPrinting have the ability to send NPrinting reports to a Microsoft Sharepoint or other worldwide web url address destination?
Local and Network path examples:
*This feature is not planned nor on the NPrinting road map at this time. You can check our 'ideas' page to determine if this has been requested. You can add your request at the link below if it has not: Ideation
There are environments where the cryptographic protocols available to the Windows Operating System need to be restricted for security or compliance reasons. This article will outline where various TLS versions are supported. This article will not have full coverage of the impact of TLS changes to other software installed on the Qlik Sense server. For examples of potential impacts:
To enable strong TLS implementation make sure to have all your servers updated to a version of both the operating system and the Qlik software, which explicitly details they support the required version of TLS.
If you have a clustered environment with multiple nodes spread across different machines, please make sure to enable the same subset of protocols on all Sense machines, otherwise the services will not be able to successfully communicate.
Third-party tools such as IIS Crypto can be used to enable and disable SSL or TLS. Consult your Windows administrator or network security team for what tools are usually used in your organization.
The correct protocols and ciphers can then be applied using the PowerShell (PS) scripts and making changes to the Windows Registry. Consult Microsoft or your Windows administrator for details.
IIS Crypto is an example 3rd party tool that can be used to achieve this. IIS Crypto is not supported by Qlik, but by its respective vendor, NARTAC Software. To obtain IIS Crypto, visit https://www.nartac.com/Products/IISCrypto.
A third-party certificate was configured in the Qlik Sense Proxy, but is not being used.
The connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID may be displayed on HUB access.
Qlik Sense Enterprise on Windows uses self-signed and self-generated certificates to protect communication between services, as well as user web traffic to the hub and management console. It is possible to use a third-party-issued SSL certificate to protect client web traffic. Using the self-signed certificate will cause a certificate warning to be displayed in the web browser (such as Google Chrome or Internet Explorer).
If the third-party certificate for the Qlik Sense Proxy Service is not fully compatible with Qlik Sense or it does not have the correct attributes and cyphers, the Qlik Sense Repository Service will revert to using the default certificates. The following error may occur in the Proxy Security logs:
Example: C:\ProgramData\Qlik\Sense\Log\Proxy\Trace\HOSTNAME_Security_Proxy.txt
No private key found for certificate 'CN=qliksense.domain.com' ([CERTIFICATE THUMBPRINT HERE]) Couldn't find a valid ssl certificate with thumbprint [CERTIFICATE THUMBPRINT HERE] Reverting to default Qlik Sense SSLCertificate Set certificate 'CN=qliksenseserver1.domain.com' ([CERTIFICATE THUMBPRINT HERE]) as SSL certificate presented to browser
In order for Qlik Sense Enterprise to correctly recognize the third-party certificate as valid, the certificate will have to meet the following requirements:
Note: Root and Intermediate CA certificates need to be correctly installed. Should any be missing, Qlik Sense proxy will not use the server certificate and will revert back to using the self-signed certificate instead.
Certificates that are known to work well with Qlik Sense have the following attributes:
How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
Disclaimer: Encrypted communication between PostgreSQL database and Qlik Sense services is a supported setup. This article provides general guidance on how to enable encryption on PostgreSQL database server, but local adjustment must be applied to comply with local IT requirements. Please be aware that Qlik Support can not help setting up Database Traffic Encryption, while Qlik Consulting Services may be utilized for deployment implementation.
Qlik Sense supports database traffic encryption using SSL/TLS, but it is not enabled by default. The Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. When SSL encryption is enabled, the installer does not recognize any already installed PostgreSQL databases, and as a consequence, installation cannot be completed. Password security and local IT policy around certificate need to be considered before enabling database encryption, as the implementation includes manual configuration of the Qlik Sense deployment.
Qlik recommends that the configuration in this section is performed by someone with sufficient skills in PostgreSQL database configuration.
This article covers two scenarios for enabling Database Traffic Encryption;
Upgrades: Prior to Qlik Sense Enterprise August 2022 release, the Qlik Sense installer cannot use SSL encryption for establishing a connection to PostgreSQL. So any upgrades will fail unless you are upgrading to August 2022 and later. Prior to upgrading, disable the encryption. You can enable it again after the upgrade is complete.
See Unable to upgrade Qlik Sense with missing 'SenseServices', 'QSMQ', and 'Licenses' database for respective capabilities.
Always take a complete backup of Qlik Sense deployment before altering system configuration, to allow restoring a working state in case of disaster.
These scenarios apply the default Qlik Sense signed certificate to encrypt traffic for a PostgreSQL database. Qlik Sense signed certificate is commonly only fully trusted by Qlik Sense nodes, which means other usage may not comply with local IT policies. It is recommended that a fully trusted certificate is used when applying encrypted database traffic for production environments. Consult the local IT department for details on retrieving a fully trusted certificate.
This scenario assumes a standard Qlik Sense installation, where the Qlik Sense Repository Database is installed on the Qlik Sense central node as part of the Qlik Sense installation.
This scenario assumes a custom Qlik Sense installation, where Qlik Sense is configured to use a dedicated PostgreSQL database as its Repository Database.
You may get the errors, "A call to SSPI failed, see inner exception" and "The certificate chain was issued by an authority that is not trusted". While they should have no impact on your end-users, you'd still like to clean them up from the logs.
Qlik Sense otherwise functions without issues.
Example error:
System.Proxy.Qlik.Sense.Communication.Communication.Tcp.StreamFactory 16 c2972806-6ae3-4559-8ebf-c7c2201335f3 xx\xxx Failed to authenticate stream as Server The client and server cannot communicate, because they do not possess a common algorithm↵↓A call to SSPI failed, see inner exception. NO-STACKTRACE↵↓ at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)
These, unfortunately, are not Qlik Sense errors, but rather errors from Windows that Qlik Sense reports. You should also be able to see them in your Windows Application logs. For more information, please search out Windows Support.
See Security Support Provider Interface Architecture for additional details.
Possible root causes:
This is working as designed. Qlik Sense Enterprise on Windows uses self signed certificates for service communication (Certificates | Qlik Sense for administrators Help) and as the out-of-the-box proxy certificate.
This is not considered a security vulnerability.
If you have run a security scan and receive reports of vulnerabilities which are of concern to you, see Qlik Security Vulnerability Policy on how to report them to Qlik.
To improve the security of your system, consider the following actions:
Sometimes a specific version JVM is needed rather than the shipped JVM, for example due to a known vulnerability in the JVM, the existing JVM need to upgrade to a higher verion. However, the new jvm folder may not contain two required security configuration files, causing Replicate to generate the following warning message:
JVM security configuration directory is missing or not a directory; unable to set the Java security policy
This warning message is reported by Replicate due to the missing of the following two security configuration files:
To resolve this issue, you can simply copy these two files from your backup or another Replicate server into the <Replicate folder>\jvm\conf\security folder.
#00163870
Security of Qlik Sense Enterprise on Windows can be approached in the below discrete areas. All these areas provide different options for increasing security in a deployment, and thereby mitigating vulnerabilities and protecting against attackers.
Content:
Be aware that a high level of server hardening can lead to failure in your deployment. Be mindful of always having a backup to restore to in case your configuration leads to irreversible failure.
Qlik Sense Enterprise on Windows supports multiple different Authentication Solutions;
Qlik can not specify which authentication method is appropriate for each deployment. It is advisable to review currently supported alternatives within your organization and/or Identity Provider (IdP) to implement the most suitable solution for your use case.
Qlik Sense Enterprise on Windows provides two levels of native authorization in the product.
Attribute based access control (ABAC), which is configured through Qlik Sense security rules. This article will not go in depth on how to best implement security rules for your requirements, but it is highly recommended to think of your users based on the capabilities that you intend to provide them. For example different roles and capabilities as shown in image below, allows for a security rule framework to be designed and implemented. This can be done either by yourself by referencing Qlik Sense Help for Administrators and available assets or by engaging with a Qlik Consultant or Qlik Partner.
Row level data reduction, which is configured through Section Access at Qlik Sense app level. This article will not go in depth on Section Access implementation, but with this reduction a single file can be used to hold the data for a number of users or user groups. Qlik Sense uses the information in the section access for authentication and authorization, and dynamically reduces the data, so that users only see their own data.
Qlik Sense Enterprise on Windows inherits the available protocols, cipher suites, key exchanges and other security hardening which are enabled on the Windows Server operating Qlik Sense.
Windows Server has a lot of protocols enabled by default; however protocols, ciphers, hashes and key exchanges that are considered deprecated or not secure enough should be disabled. There are many ways of doing this, and the Windows administrator and security experts should be consulted so that local policies are accurately applied. For simplicity, understanding and a good overview IIS Crypto 3.0 can be a good tool for evaluating current Windows configuration and applying changes.
Keep in mind that "Best Practice" today might not be recommended in the near future, what was considered "safe" a while ago is not necessarily considered so today. For this reason, it is also important to regularly scan servers for potential vulnerabilities and revisit configurations as required.
The Windows Server needs to be restarted for these settings changes to take effect. It is also important to ensure that all components running on the server still operate as expected after hardening is applied, for example, older non-Qlik software might not be compliant with the latest options and standards.
Firewalls typically should be closed, with required ports only opened for intended purposes.
See Qlik Sense Enterprise on Windows ports overview for details on required port based on the deployed architecture.
For most organizations, local administrator rights allow for an easier deployment, but Qlik Sense Enterprise on Windows does not require local administrator rights in order to function. This can be an attractive option inside some organizations. This will require additional configuration of boot strap mode as described in Qlik Sense Enterprise on Windows Services.
For a brief overview of the rights needed by a Qlik Sense Enterprise service account:
Qlik Sense Enterprise for Windows does not officially support Group Managed Service Accounts (gMSA), but it can operate using one. The initial barrier is that the installer requires a service account and password to be entered during installation. A domain or local account could be substituted for the install stages only to be swapped out in the Windows Services applet (services.msc) after installation. Some functionality may require workarounds (e.g. A User Directory Connection to Active Directory).
Qlik Sense Enterprise on Windows does require exceptions from anti-virus scan to avoid potential disk I/O conflicts. Refer to Qlik Sense Folder And Files To Exclude From AntiVirus Scanning for more details.
Qlik Sense Enterprise on Windows can run with Federal Information Processing Standards (FIPS) enabled on the Windows Server. This does require a few adjustments of configuration files due to Qlik using non-FIPS compliant algorithms for minor tasks like hash checks. See Running Qlik Sense on Windows systems with FIPS compliance enabled for more details on Qlik Sense and FIPS.
Qlik Sense Enterprise on Windows uses PostgreSQL to store meta-data relating to a Qlik Sense site. In multi-node sites or sites where PostgreSQL is isolated from Qlik Sense Enterprise for Windows additional security can be applied;
Qlik Sense Proxy service bundled with Qlik Sense Enterprise on Windows is simply a web-service. This means applying general practice guidance but in the context of Qlik Sense as described below.
Qlik Sense Enterprise on Windows acts as a Certificate Authority (CA) during initial installation and signs a certificate that is applied on all encrypted traffic between Qlik Sense services. The same Qlik Sense signed certificate is applied as default certificate also for incoming connections from users accessing Qlik Sense Hub and QMC. This default certificate is not intended for production use, unless user access to Qlik Sense comes through a network load balancer or reverse proxy that trusts the Qlik Sense certificate. For direct user access to Qlik Sense Proxy, a fully trusted certificate can typically be acquired from your local IT and then applied on the Qlik Sense Proxy service.
As of July 2019, Qlik Sense Enterprise on Windows support SHA1 and SHA2 certificates. If SHA384 or SHA512 certificates are needed, then a network load balancer or reverse proxy can be configured in front of Qlik Sense which offloads to Qlik Sense.
There are numerous HTTP response headers that can be used in attempting to secure a server. Below are a couple of the most common ones, but as always it is recommended to consult local IT and web security expert on what the recommendations are.
Any additional HTTP response header values can be configured in Qlik Sense Virtual Proxy settings under Additional response headers as shown in the below image and described in Qlik Sense for Administrators: Virtual Proxies. It is recommended to trial any header changes in a new virtual proxy, as poor configuration may accidentally lock you out from Qlik Sense access.
Policy is a placeholder for your policy of choice and cannot be used as a value. See Writing a Policy (Mozilla) for examples.
A virtual proxy which was configured to use Always Anonymous is not intended to be used for administration. While Qlik Sense will prompt for login when accessing the Qlik Sense Management Console (QMC), the Management Console cannot be navigated successfully.
Beginning with November 2023, access will fail with:
An error occurred
The operation failed due to insufficient privileges
As well as:
400
Bad Request
Previous version of Qlik Sense may succeed with the login but not allow navigation.
Do not use a Virtual Proxy configured to use Always Anonymous as authentication method. Always have a Virtual Proxy ready which requires authentication. For information on how to create a new Virtual Proxy, see Qlik Sense: How to create a new Virtual Proxy.
If you have locked yourself out of the Qlik Sense Management Console by modifying the only available Virtual Proxy, change the enabled authentication method directly in the Qlik Sense QSR database.
Manual steps to change the authentication method:
A secure Qlik Sense Enterprise Management Console when anonymous access is required.
SHEND-1902
Qlik Sense November 2023 & Newer
Tabular Reporting events in the management console not showing for all the users in the tabular reporting recipient list
When section access is used in a Qlik App, ensure to add all required recipients/users to the section access load script
For example, users in the Recipient import file should ideally match the users entered to the Section Access load script of the app.
This generally permits users to view management console details such as 'Events' assuming those user also have the necessary 'view' permissions in the tenant in which the app exists
If some of the recipients in the tabular reporting recipient list do not have access to the Space/App - they won't be considered in the task execution because they fail the governance.
ie: Recipients/users that are not added to the load script will not have access to the app nor associated management console events.
This is expected behavior.
A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. If successfully exploited, this vulnerability could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE).
This issue was responsibly disclosed to Qlik and no reports of it being maliciously exploited have been received.
All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss), Qlik rates this severity as high.
CVE-2024-36077(QB-26216) Privilege escalation for authenticated/anonymous user
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 8.8 (High)
Due to improper input validation, a remote attacker with existing privileges is able to elevate them to the internal system role, which in turns allows them to execute commands on the server.
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
All Qlik software can be downloaded from our official Qlik Download page (customer login required).
This issue was identified and responsibly reported to Qlik by Daniel Zajork.
Edited 20th of May 2024: Added recently assigned CVE number.
When patching Studio from the Feature manager, the Clean up libraries option is greyed out:
The -Dtalend.studio.m2.clean=true property ensures Studio removes obsolete jars during patching.
For more information, please review the Studio installation guide.
Talend Studio 8.0.1
HSTS (HTTP Strict-Transport-Security response header) security check failed.
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.
Before adding HSTS to either the QlikView AccessPoint or the QlikView Management Console (QMC), set both up to use HTTPS. See for QlikView AccessPoint and QMC with HTTPS and a custom SSL certificate instructions.
Custom response headers can be set in both the QlikView WebServer (beginning with 12.30) and Microsoft IIS (all QlikView versions).
The custom header needed for HSTS is: Strict-Transport-Security
<Config>
...
<Web>
...
<CustomHeaders>
<Header>
<Name>Strict-Transport-Security</Name>
<Value>max-age=31536000</Value>
</Header>
</CustomHeaders>
</Web>
</Config>
For information on how to configure custom headers with Microsoft IIS, see Setting Custom HTTP Headers in IIS for QlikView. The site https://https.cio.gov/hsts/ gives information on how to setup the webserver to enable HSTS.
Testing can be achieved using any number of third party sites, such as:
This setting was introduced with QlikView 12.70 (May 2022) SR1.
QVManagementService.exe.Config Changes:
A security issue in QlikView has been identified and patches have been made available. In both cases, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of Administrator.
The issue was identified and responsibly reported to Qlik by Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.
Qlik has received no reports of these vulnerabilities being exploited maliciously.
All versions of QlikView prior to and including the following releases are impacted:
CVE-2024-29863 (QV-25113)
Severity: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8 High)
A race condition exists in the QlikView installer executable that may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator.
Customers should upgrade QlikView to a version containing fixes for these issues. Fixes are available for the following versions:
Pawel Karwowski and Julian Horoszkiewicz from Eviden Red Team.
This solution (modifying ServiceConfiguration.xml) is only valid for versions 6.6 to 7.0.
SSL Certificates that are imported are being replaced by Replicate’s self-assigning certificate on reboot.
RepUiCtl.exe repository export -r "c:\program files\attunity\replicate\data\GlobalRepo.sqlite" -f c:\temp\a.jsonNote: You can change the temporary storage location (c:\temp) for the file destination, and adjust the first part of the command to match your environment.
RepUiCtl.exe repository export -r "c:\program files\attunity\replicate\data\GlobalRepo.sqlite" -f c:\temp\a.json
The Service Configuration parameters need to be changed to allow Qlik Replicate to stop testing the HTTP URL and overriding with a self-assigned certificate.
testHttps = "false"
<ServiceConfiguration url="https://demo.com:443/attunityreplicate;http://demo.com:80/attunityreplicate" allowUnsafeProtocols="false" testHttps = "false" />
RepUiCtl.exe -d f:\data certificate clean
Qlik Replicate 6.6 - 7.0
The PostgreSQL source endpoint is set up with a privileged account (account with a superuser role) used in the source endpoint connection. After the task's first successful run, all of the regular user (account without a superuser role) cannot perform any DDL operations in the database,regardless if the table is included in the replication task or not, or even create a new table. Below errors will show up upon any DDL operation.
In the meanwhile, DML operations continue to work; the INSERT/UPDATE/DELETE changing records can be captured and applied to target sides successfully.
Errors:
ERROR: permission denied for table attrep_ddl_audit. The SQL statement 'insert into public.attrep_ddl_audit values ...'.
There are two alternatives. Apply one.
Pros and Cons:
Update permissions. This is a straightforward but potentially work-intensive solution. Give all regular users who need to run tasks the required permissions.
Execute the function definition with "security definer" option by a privileged account. While this option is simpler, it must be performed carefully as not to enable misuse.
In this scenario Qlik Replicate is in fact using the default option "security invoker" in function definition.
Grant the following permissions to the non-privileged account, see Qlik Replicate User Guide:
GRANT INSERT ON attrep_ddl_audit to <non-privileged-user>; GRANT DELETE ON attrep_ddl_audit to <non-privileged-user>; GRANT USAGE ON attrep_ddl_audit_c_key_seq TO <non-privileged-user>; |
WARNING! Writing SECURITY DEFINER Functions Safely
Because a SECURITY DEFINER function is executed with the privileges of the user that owns it, care is needed to ensure that the function cannot be misused. For security, search_path should be set to exclude any schemas writable by untrusted users.
Execute the function definition with "security definer" option by a privileged account, for example an account with superuser privilege. See the complete function definition code is as below.
The code is generated by Qlik Replicate 2023.5, only "security definer" option is added manually.
-- DROP FUNCTION public.attrep_intercept_ddl();
CREATE OR REPLACE FUNCTION public.attrep_intercept_ddl()
RETURNS event_trigger
LANGUAGE plpgsql security definer
AS $function$
declare _qry text;
BEGIN
if (tg_tag='CREATE TABLE' or tg_tag='ALTER TABLE' or tg_tag='DROP TABLE' or tg_tag='TRUNCATE') then
SELECT current_query() into _qry;
insert into public.attrep_ddl_audit
values
(
default,current_timestamp,current_user,cast(TXID_CURRENT()as varchar(16)),tg_tag,0,'',current_schema,_qry
);
delete from public.attrep_ddl_audit;
end if;
END;
$function$
;
|
This customization is provided as is. Qlik Support cannot provide continued support for the solution. For assistance, reach out to your DBA and/or PostgreSQL related services.
#00021532, #00123792
The Windows Security Event log reports the following event:
event ID 4768, Task Category "Kerberos Authentication Service". Account name for these entries will be "X509N:<S>CN=QlikClient
If you are a customer currently not using a Multi-Cloud/Hybrid setup, meaning you are not distributing Apps from Client Managed into SaaS.
Option 1:
Option 2:
It is possible that the error is still seen after option one is applied. It is found that due to the current architecture following services are triggering the error:
[hybriddeploymentservice]
[appdistributionservice]
[qib-webchat-service]
If the Qlik Sense environment is not using Multi-cloud deployment, you may apply the following workaround by disabling the following two services:
[hybriddeploymentservice]
[appdistributionservice]
To do this:
If you are not using Qlik Webchat, you can also disable [qib-webchat-service]
by following same steps as above.
If you are a customer currently using a Multi-Cloud/Hybrid setup, meaning you are distributing Apps from Client Managed into SaaS.
With a multi-cloud setup, there is no complete workaround available as of today. It is important to mention that this is not an issue that affects in any way your security and/or stability of your Client Managed deployment. This is a result of how affected Qlik Sense .NET microservices are handling certificates in .NET Core technology. To address this shortcoming, a significant re-design of current architecture would be required that is currently not in the pipeline, hence would recommend submitting a product ideation.
To limit the number of events in question, if you are not using Qlik Webchat, you can disable [qib-webchat-service]
- see step-by-step instructions in the previous section.
Qlik Sense Enterprise on Windows
QLIK-87774, QB-274. Working as intended, please apply the resolution given in this article.