Qlik Community

Qlik Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Digital Support
Digital Support

Hello Qlik Users,

It’s a special Thursday this week as we have a couple patches available today that also address the Node.js vulnerability. Please apply the appropriate patch as soon as possible.

If the initial version of Qlik Sense installed was prior to version June 2019 or earlier, then the Qlik Sense Root Certificate must be recreated. For more information on recreating certificates, please review the following materials: 

 

The following patches are now available on the Qlik download site:

Qlik Sense Patch

 

April 2019 Patch 8

Release Notes

June 2019 Patch 11

Release Notes

 

As with all software, please follow best practices when upgrading by backing up your Qlik Sense environment and testing the patch in a QA environment first.

Be sure to subscribe to the Qlik Support Blog by clicking the green Subscribe button to stay up-to-date with the latest releases.

Thank you for choosing Qlik!

Kind Regards,

Global Support

Tags (3)
5 Comments
Partner
Partner

Hi,

Recreating certificates is not as easy as deploying a patch, and could be error prone. So, what are the consequences/risks not recreating them ? Is there a real security risk, even for small companies with a single server and a few users ?

Thanks!

David

773 Views
Digital Support
Digital Support

 @dvasseur,

We created a Powershell script that will recreate the certificates that will hopefully make this process easier. Please see <article link> for recreating the certificates using Powershell. If the certificates are not recreated, Qlik will not take responsibility for any security breach within your environment. Please review the <node.js link> to review the risks.
0 Likes
706 Views
Partner
Partner

@Jamie_Gregory 

I've read it already and didn't find anything which would require to regenerate Qlik's CA certificate. I have probably missed something, could you explain me ?

Node.js vulnerabilities fixed:

  • HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)

Not related

  • HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)

Not related

  • Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)

Could be related (improper client certificate check) but that would crash TLS server (according to Qlik), quite annoying but not a security risk

  • Strict HTTP header parsing

Not related

0 Likes
670 Views
Partner
Partner

Good morning @dvasseur ,

as far as I know, Qlik's CA certificate needs to be regenerated due to an upgrade of NodeJS version, which jumps from 8.16.2 (which is out of support) to 12.15.
See the first part of the release notes: https://da3hntz84uekx.cloudfront.net/QlikSense/13.51/6/QlikSense_November_2019_Patch6_ReleaseNotes.p...

I hope this helps,
Riccardo

0 Likes
599 Views
Digital Support
Digital Support

@dvasseur That article is information from Node.js. The part that requires you to regenerate the certificates on the Qlik side is in the release notes for the patches. @rzenere is correct that it's due to upgrading the version of Node.js. There is also a FAQ regarding this that has some more information. 

0 Likes
534 Views