Qlik Community

Qlik Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Support
Support

QlikView and Qlik Sense - Important Security Fix now available in new Service Releases and Patches

Qlik releases new QlikView Service Releases and new Qlik Sense Patches to address a security vulnerability.

Dear Qlik users,

Today we have released four new service releases across all currently supported major versions of QlikView* and six new patches across the latest versions of Qlik Sense. If you are using the following versions, this information is for you:

  • QlikView 11.20
  • QlikView 12.00*
  • QlikView 12.10
  • QlikView 12.20
  • QlikView 12.30
  • Qlik Sense Enterprise any 2017 version or prior
  • Qlik Sense Enterprise February 2018
  • Qlik Sense Enterprise April 2018
  • Qlik Sense Enterprise June 2018
  • Qlik Sense Enterprise September 2018
  • Qlik Sense Enterprise November 2018
  • Qlik Sense Enterprise February 2019 

These new service releases and patches include a fix for a security vulnerability, details of which can be found in Security Bulletin SB 000069985.

Known internally as QLIK-94388, each new service release and patch includes, at the minimum, the fix for this vulnerability. The patches for the following Qlik Sense releases also includes other, non-security related bug fixes.

  • June 2018 Patch 3
  • September 2018 Patch 4
  • November 2018 Patch 4

For details, please see the attached release notes.  For all other release notes, please refer to our download site.

Please note this patch is branched directly for the latest patch. For example, by applying Qlik Sense February 2019 Patch 2, you will also receive every fix released in Qlik Sense February Patch 1. For more details about the fixes applied in the previous patch(es), please have a look at the release note. 

The information in this post and Security Bulletin 000069985 are disclosed in accordance with our published Security and Vulnerability Policy.

 

Updated 5/1/2019: For further reference, we have created a list of frequently asked questions and answers which can be found here SB 000069985 FAQ.  

 

* QlikView 12.00 is no longer officially supported.   QlikView 11.20 is under Extended Support.

21 Comments
Or
Valued Contributor II

Installing the latest patch of Sense February 2019 changed all of the default app images without any sort of warning. Not nice! Just spent an hour scrambling to change them back, one at a time, to the previous default of Qlik circles to avoid confusing the user base...

 

4,003 Views
Digvijay_Singh
Honored Contributor III

Is it changing all the app icons including customized one or just the one which had default circle icons?

3,892 Views
Or
Valued Contributor II

@Digvijay_SinghI can't say, we were happy with the original default of circles so we never set up customized ones.

3,880 Views
Partner
Partner

Hey @Or ,

are those the same previews available on new apps Qlik Cloud? 
@Digvijay_Singh from what I've seen on release September 2018, after installing the latest Patch the default thumbnails and also the customized ones are still the same. It could be an issue depending on specific releases

Riccardo

3,775 Views
Partner
Partner

I'm trying to get more information concerning this issue, so I can figure out the impact.

But the information about this issue is minimal.

I’d like to know what kind of files users might be able to access, they are talking about files being hosted by the server. Is this the files only hosted on the Qlik webserver site, or also files mounted in certain areas?

0 Likes
3,733 Views
Or
Valued Contributor II

I don't have a lot of information to help with, just my own upgrade (on premise, February 2019 just upgrading to the patch). We've noticed two things:

  • Default images have changed for all apps (we don't know if non-default images changed). It is possible to manually re-set each app to the original default (Qlik circles).
  • It seems it is no longer possible to see content in other people's Work stream from Hub - we have a user with permissions for everything in hub (* on all) and that user now only sees their own work stream.

 

Insofar as the bug in question, given that it's URL manipulation, I wouldn't expect Qlik to share the specific details as this would allow anyone with the details to easily abuse unpatched versions...

3,709 Views
Partner
Partner

I confirm the same behaviour with the Security Rule also on September 2018.
I believed it was related to the previous Patch, that was skipped for this last one.

0 Likes
3,703 Views
analienx
New Contributor III

Hi @rzenere  indeed this is serious issue as you can read in my post :

https://community.qlik.com/t5/Qlik-Support-Updates-Blog/Qlik-Sense-November-2018-Patch-3-is-now-avai...

Since fixing security vulnerability is basically a must for most of companies one has to think about new development approach and security rules/custom properties change to adjust this.

 

0 Likes
3,659 Views
Support
Support

Or,

Thank you  for bringing this to the attention of Qlik support. I work on the escalations team. Did you upgrade from an older version like November 2018 or September 2018 to February 2019?   

3,578 Views
Or
Valued Contributor II

@Ronnie_TabornUpgraded from February 2019 to the current patch. I believe we had the initial release of February 2019 but I'm not entirely sure - this was a little bit of a rush job to squeeze the upgrade into a previously-scheduled maintenance window under the assumption that no significant testing would be required.

0 Likes
3,543 Views
Support
Support

Or,

I installed February 2019 IR and created some test apps with the default image thumbnail.  I installed the February Patch 1 and the default thumbnails changed from the Qlik circles to a blue background. I created some more apps and changed the thumbnail  from to something custom and installed February Patch 1. The thumbnails didn't change for the custom apps. The thumbnail change is the default for February Patch 1 and Patch 2.  The change isn't a bug but the default.  We are updating the documentation.  Please let me know if you have any questions. 

0 Likes
3,461 Views
Support
Support

It does look like the change was with Patch 1

0 Likes
3,428 Views
Support
Support

If you want the old one back you can try this.

 

Go to C:\Program Files\Qlik\Sense\Client\hub\img\core\static and rename the Default_thumbnail_app.svg for back up. Then take app.png and convert it to svg file. (https://onlineconvertfree.com/) then rename the converted file and put it in the above location.

 

 

0 Likes
3,406 Views
Employee
Employee

Default icons have changed as part of Qlik's re-branding. I would recommend that you do not alter the default icon directly in the file system, as it will be reset on your next update/upgrade. Instead look at applying the old icon as a custom log on each app, if it is important to keep the old icon.  

@Or it has not been the intention that users can share work area items as part of collaboration. Your observation is an effect of the hub navigation improvements included in Feb 2019 Patch 1 and later, which enforces a stricter work area control from the product. If this change causes major problems for you, please contact Qlik Support (https://support.qlik.com) for further help. 

The  documented collaboration process in Qlik Sense is based on streams; https://help.qlik.com/en-US/sense/February2019/Subsystems/Hub/Content/Sense_Hub/Publishing/publishin...

3,338 Views
Employee
Employee

@nvankorlaar industry best practice around security vulnerabilities is to no disclose the exact details, as this can be used against customers by malicious attackers. This vulnerability score is ranked as High, which means you are highly recommended to apply the patch on your environment to keep it secure. 

The exposed vulnerability gives access to files that are available on the local server. I think that is clear enough detail to motivate applying a patch on your server, so that your files can not be exposed. 

0 Likes
3,322 Views
Or
Valued Contributor II

@ToniKauttoI have no major problems with the new methodology, it was just surprising to see the undocumented change. There were certain advantages to being able to see other people's Work area, particularly when trying to assist a developer with their code, but it's nothing that can't be worked around using screen sharing instead. Ideally, a global "Everyone's Work" stream would be available (assuming one had proper permissions), separate from the regular "Work" stream, but I guess that's not likely to happen. Having to publish files just so someone else can look at your code or designs is simply not very efficient, but it's how most of our developers work anyway.

Insofar as the icons, again, this was not documented anywhere that I found. I wish they'd let us know when they change things, particularly things immediately visible to users. On a personal level I quite dislike the new image used for apps, as I feel it clashes with the rest of the default Qlik Sense design - everything is white and clean and all of the sudden there's this group of large blue blocks. Again, this is nothing that we can't work around - we just went into each app and manually set the image to the original Qlik circles - but being aware of this in advance would have been nice.

 

 

0 Likes
3,199 Views

Hello @Or

Thank you for your feedback. 

Regarding the fact that you cannot see the application from other's workstream is a behavior change that happened in Qlik Sense February Patch 1 and Qlik Sense November 2018 Patch 3 after improving performance in the hub as described here: https://community.qlik.com/t5/Qlik-Support-Updates-Blog/Qlik-Sense-February-2019-Patch-1-now-availab...

Since the Qlik Sense Patches are cumulative, by applying Patch 2 you also received the fixes implemented in Patch 1.

There is a setting to revert back to the old behavior described here https://support.qlik.com/articles/000068297

 

Regarding the application thumbnail, it's also a change implemented in Qlik Sense February 2019 Patch 1. it does not seem that it has been documented indeed. This has been brought up internally and should be resolved shortly. 

Thank you and hope this helps.

 

0 Likes
3,164 Views
Or
Valued Contributor II

@Bastien_LaugieroThanks for that link on the new Work behavior - quite helpful. I went over the patch notes before I installed the upgrade and I went over them again just now. I don't see any mention of this new behavior anywhere in the document (unless it's buried in the "Bugs fixed" section). Either it's there and I'm just missing it, or this one also escaped the documentation team.

0 Likes
3,129 Views
Partner
Partner

Hi. Will this security bug be fixed in Qlik Sense April 2019 release?

0 Likes
2,464 Views
Support
Support

Hi @ronnystillman ,

Yes, this issue has been addressed in our Qlik Sense April 2019 release.

0 Likes
2,392 Views
Support
Support

Please note, we have updated this post to include a link to a list of frequently asked questions, which can be found here  SB 000069985 FAQ.

Regards,

Qlik Support

2,137 Views