Qlik Sense Patch Thursday - Addressing the Node.js... - Qlik Community

Jamie_Gregory · ‎2020-03-05

Hello Qlik Users,

It’s a special Thursday this week as we have a couple patches available today that also address the Node.js vulnerability. Please apply the appropriate patch as soon as possible.

If the initial version of Qlik Sense installed was prior to version June 2019 or earlier, then the Qlik Sense Root Certificate must be recreated. For more information on recreating certificates, please review the following materials:

Recreating the Qlik Sense Root Certificate (Root CA) - Use Powershell scripts to recreate the certificates (preferred method)

Manually Recreating The Qlik Sense Root CA - Manually recreate the certificates
Qlik Fix: How to Recreate or Delete Certificates in Qlik Sense - General overview of the manual process (please refer to the article for manually recreating the certificates for exact steps)

The following patches are now available on the Qlik download site:

Qlik Sense Patch
April 2019 Patch 8	Release Notes
June 2019 Patch 11	Release Notes

As with all software, please follow best practices when upgrading by backing up your Qlik Sense environment and testing the patch in a QA environment first.

Be sure to subscribe to the Qlik Support Blog by clicking the green Subscribe button to stay up-to-date with the latest releases.

Thank you for choosing Qlik!

Kind Regards,

Global Support

dvasseur · ‎2020-03-05

Hi,

Recreating certificates is not as easy as deploying a patch, and could be error prone. So, what are the consequences/risks not recreating them ? Is there a real security risk, even for small companies with a single server and a few users ?

Thanks!

David

Jamie_Gregory · ‎2020-03-05

@dvasseur,

We created a Powershell script that will recreate the certificates that will hopefully make this process easier. Please see <article link> for recreating the certificates using Powershell. If the certificates are not recreated, Qlik will not take responsibility for any security breach within your environment. Please review the <node.js link> to review the risks.

dvasseur · ‎2020-03-05

@Jamie_Gregory

I've read it already and didn't find anything which would require to regenerate Qlik's CA certificate. I have probably missed something, could you explain me ?

Node.js vulnerabilities fixed:

HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)

Not related

HTTP header values do not have trailing OWS trimmed (High) (CVE-2019-15606)

Not related

Remotely trigger an assertion on a TLS server with a malformed certificate string (High) (CVE-2019-15604)

Could be related (improper client certificate check) but that would crash TLS server (according to Qlik), quite annoying but not a security risk

Strict HTTP header parsing

Not related

rzenere_avvale · ‎2020-03-06

Good morning @dvasseur ,

as far as I know, Qlik's CA certificate needs to be regenerated due to an upgrade of NodeJS version, which jumps from 8.16.2 (which is out of support) to 12.15.
See the first part of the release notes: https://da3hntz84uekx.cloudfront.net/QlikSense/13.51/6/QlikSense_November_2019_Patch6_ReleaseNotes.p...

I hope this helps,
Riccardo

Jamie_Gregory · ‎2020-03-06

@dvasseur That article is information from Node.js. The part that requires you to regenerate the certificates on the Qlik side is in the release notes for the patches. @rzenere_avvale is correct that it's due to upgrading the version of Node.js. There is also a FAQ regarding this that has some more information.

Qlik Sense Patch Thursday - Addressing the Node.js vulnerability