Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Defect acknowledgement with Nprinting Engine May 2022 SR2, please READ HERE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jvandrot
Contributor
Contributor
‎2024-02-29 11:15 AM

Patch NPrinting 

Is there a patch planned for NPrinting to address the PostgreSQL security problem?

 

Labels (2)
Labels
433 Views
4 Replies
JonnyPoole
Employee
Employee
‎2024-02-29 12:47 PM

Which problem are you referring to?  There was a postgresql upgrade included in NPrinting February 2024.  

JonnyPoole_0-1709228861149.png

 

 

412 Views
jvandrot
Contributor
Contributor
‎2024-03-04 03:37 AM
Author

Hello,

I'm reffering to the security breach dated from Februray 8th, which is fixed on update 13.14

The february version is 13.13

https://www.postgresql.org/support/security/

 

Reference Affected Fixed Component & CVSS v3 Base Score Description
CVE-2024-0985
Announcement		 15, 14, 13, 12 15.6, 14.11, 13.14, 12.18 core server
8.0
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H		 PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

more details
350 Views
0 Likes
Andrew_Kruger
Employee
Employee
‎2024-03-04 11:35 AM

In response to jvandrot

Thanks for the post @jvandrot 

The Qlik NPrinting product team and our security team are in constant communication around various identified security topics.  This item is on our radar and is being planned for resolution in an Service Release for both the Qlik NPrinting May 2023 and Qlik NPrinting February 2024 build lines. 

In the mean time it is worth noting that this vulnerability is not exploitable in Qlik NPrinting as the product does not allow users to construct such kind of query required to exploit the vulnerability. Even though the product accepts user input (which is sanitized as part of a defense-in-depth strategy), there is no way in the product to create the kind of query required for exploitation in this scenario.
A theoretical attack would require an advisory to get direct access to the NPrinting database as well as privileged filesystem access in addition to several other preconditions be met. If such escalated privileged access would be possible, there would other ways to yield more gain or access.  

329 Views
David_Friend
Support
Support
‎2024-03-04 04:28 PM

@jvandrot R&D will be doing a Service Release of NP with the 13.14 version, but like Andrew said its not a security concern for NP

312 Views