Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
what version of node.js/VM2 is currently being used with qlik sense products and when will there be an update. Since we are in the hospital sector, this is important for our customers. I had already opened a ticket with support, but they think it is not an incident and I should contact the community?!?
Here are the information about the Critical vulnerability in Javascript library:
CVE: CVE-2023-29017 / CVE-2023-29199 / CVE-2023-30547 / CVE-2023-32314
Scope: Remote Code Execution
Affected versions: Javascript library vm2 < 3.9.18
Suggested Action: Update to current version 3.9.18, No known workarounds
F.e.:
For the listed system, we were able to identify that the server was running a NodeJS server.
Node.js version: 14.17.6
File path: C:\Program Files\Qlik\Sense\ServiceDispatcher\Node\node.exe
Thank you in advance!
br
Christian
Hello @C-Hopf,
Thanks for posting.
I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.
As we can see other modules been used like the ones listed inside this path:
...\NotifierService\node_modules
If you have a report indicating that such library been used, please do open a case with us immediately following this article:
You have further information on our product security at: https://www.qlik.com/us/trust
Thanks for your collaboration.
Cheers,
Albert
Hello @C-Hopf,
Thanks for posting.
I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.
As we can see other modules been used like the ones listed inside this path:
...\NotifierService\node_modules
If you have a report indicating that such library been used, please do open a case with us immediately following this article:
You have further information on our product security at: https://www.qlik.com/us/trust
Thanks for your collaboration.
Cheers,
Albert