Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Node.js Vulnerability - FAQ

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Node.js Vulnerability - FAQ

Last Update:

Jun 7, 2021 2:37:45 PM

Updated By:

Frank_S

Created date:

Mar 5, 2020 4:13:16 PM

We recently released Qlik Sense patches for specific versions that address the Node.js security vulnerability. For more information, please see SB: Qlik and Node.js February 2020 Security Updates. Here are some of the Frequently Asked Questions regarding this update: 

FAQ 

Which initial version of Qlik Sense is the vulnerability addressed in? 

The initial fixed version is February 2020. All versions going forward will have the fix included. 


Which Qlik Sense patches address the vulnerability? 

The following patches address the vulnerability, but recreating the root certificate after the upgrade may need required. See Recreating Qlik Sense root CA certificate (script based back-up and removal of existing certificates...

  • February 2019 Patch 8 

  • April 2019 Patch 8 

  • June 2019 Patch 11 

  • September 2019 Patch 7 

  • November 2019 Patch 6 

Any additional patches in these tracks will also include the fix. 

Do I need to upgrade? 

Yes, you will need to upgrade. 


When do I need to upgrade? 

As soon as possible. Please refer to best practices when upgrading (see Patching Qlik Sense)


What happens if I don’t upgrade? 

Qlik will not take responsibility for any security breach within your environment. 


How do I do upgrade?  

Please see Patching Qlik Sense on the Help site for specific steps. It’s important to note the additional steps for recreating the certificates due to the Node.js vulnerability. Please use the following materials for more guidance on recreating the certificates: 


If I run the Powershell script and it fails, how do I recover/proceed?  

We are quite confident the Powershell script for recreating the certificates (see Addressing NodeJS vulnerabilities - Recreating the Qlik Sense Root Certificate (Root CA) ) will run smoothly. However, should any issues arise, please try manually recreating the certificates (Manually Recreating The Qlik Sense Root CA). If there are any other issues or questions, please contact Qlik Support


How do I confirm the Powershell script for recreating the certificates ran successfully??  

Check the certificate using the C2 Validator confirm the certificate is good once the certificate has been recreated. 


Do I need to recreate the Qlik Sense certificates? 

If the initial version that Qlik Sense was installed with was prior to June 2019, then yes, the certificates need to be recreated. Please see the release notes for more information: 

Qlik Sense Patch 

 

February 2019 Patch 8 

Release Notes  

April 2019 Patch 8 

Release Notes 

June 2019 Patch 11 

Release Notes 

September 2019 Patch 7 

Release Notes  

November 2019 Patch 6 

Release Notes  

 

Why do I need to recreate the Qlik Sense certificates? 

For the new version of Node.js to be compatible with Qlik Sense, the Qlik Sense certificates need to be recreated. 

 

What version(s) should I apply if I am looking to upgrade to a more recent version? 

We recommend upgrading to the latest version. However, we know that is not always possible. Regardless of the track you upgrade to, you will first need to apply the Initial Release (IR) then apply the latest patch for that track. Example: If you’re currently on June 2019 Patch 10 and would like to upgrade to the November 2019 track, you will need to apply November 2019 IR first then apply November 2019 Patch 6. 


I have recreated my certificates. Do I need to update the certificates anywhere else? 

You will also have to replace Qlik Sense root certificate with the newly created one in the following cases:  

  • Your Qlik Sense deployment is connected with Qlik NPrinting, Qlik multi-cloud setups, or any other external tools or configurations. 

  • You have configured QlikView Distribution Service for distribution of links to QlikView documents to the Qlik Sense hub. 


If I upgrade to February 2020, do I need to recreate the certificates? 

No, you do not have to recreate the certificates. The February 2020 installer will recreate the certificates for you. Verify the certificates were created successfully by using the C2 Validator tool. 

 

Related Information:

Labels (1)
Comments
gdrabla
Contributor
Contributor

@Sonja_Bauernfeind  @Frank_S  - We are on Qlik Sense November 2019 Release , Version qliksenseserver:13.51.4. Our vulnerability Scanning Team scanning our servers with Vulnerabilities - "TLS/SSL Server Supports The Use of Static Key Ciphers", but we have disable our TLS Ciphers through IIS Crypto 3.2 tool, is it possible if you can provide inputs in which release verision these vulnerabilities are fixed.

Would appreciate your feedback.

  Port Username Process Process Description Name Location
  5929 <Service Account> node.exe Node.js: Sever-side javascript C:\Program Files\Qlik\Sense\ServiceDispatcher\Node
9090 node.exe Node.js: Sever-side javascript C:\Program Files\Qlik\Sense\ServiceDispatcher\Node

 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @gdrabla 

You are running the initial release of Qlik Sense November 2019. The relevant fix versions are listed in this article. If you were to plan on staying on November 2019, you would nee to upgrade to at least SR6.

Please note though that the 2019 release of Qlik Sense is no longer supported. Should you require assistance from us to further investigate, please look into upgrading to a supported version such as the 2022 releases.

All the best,
Sonja 

gdrabla
Contributor
Contributor

@Sonja_Bauernfeind  - Thank you , appreciate it. We will get in touch with Account Rep for next course of steps. In meantime. I will posting shortly question on SSL certificates on Link : https://community.qlik.com/t5/Knowledge/How-to-change-the-certificate-used-by-the-Qlik-Sense-Proxy-t...

Would really appreciate  your feedback.

afujikawa
Partner - Creator
Partner - Creator

Hi @Sonja_Bauernfeind ,

If the environment is upgraded to Qlik Sense February 2020 or later, is it not necessary to consider the content of the red box?
https://help.qlik.com/en-US/sense-admin/August2023/Subsystems/DeployAdministerQSE/Content/Sense_Depl...

Best regards,
afujikawa

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @afujikawa 

I'm reviewing your question, will get back to you.

All the best,
Sonja 

afujikawa
Partner - Creator
Partner - Creator

Hi @Sonja_Bauernfeind,

Thank you for your reply.
Sorry, I forgot to attach the image when I contacted you last time.

pic1.png

Best regards,
afujikawa

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @afujikawa 

I have tested this and verified that this is no longer a requirement with February 2020 and any release after. I will ensure that the help site is updated to clarify this, as it is currently unclear (as you pointed out).

All the best,
Sonja 

afujikawa
Partner - Creator
Partner - Creator

Hello @Sonja_Bauernfeind ,
Thank you very much.

Best regards,
afujikawa

Version history
Last update:
‎2021-06-07 02:37 PM
Updated by: