Solved: Critical vulnerability in Javascript library! - Qlik Community

C-Hopf · ‎2023-05-24

Hi,

what version of node.js/VM2 is currently being used with qlik sense products and when will there be an update. Since we are in the hospital sector, this is important for our customers. I had already opened a ticket with support, but they think it is not an incident and I should contact the community?!?

Here are the information about the Critical vulnerability in Javascript library:

CVE: CVE-2023-29017 / CVE-2023-29199 / CVE-2023-30547 / CVE-2023-32314
Scope: Remote Code Execution
Affected versions: Javascript library vm2 < 3.9.18
Suggested Action: Update to current version 3.9.18, No known workarounds

F.e.:
For the listed system, we were able to identify that the server was running a NodeJS server.
Node.js version: 14.17.6

File path: C:\Program Files\Qlik\Sense\ServiceDispatcher\Node\node.exe

Thank you in advance!

br

Christian

Albert_Candelario · ‎2023-05-26

Hello @C-Hopf,

Thanks for posting.

I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.

As we can see other modules been used like the ones listed inside this path:

...\NotifierService\node_modules

If you have a report indicating that such library been used, please do open a case with us immediately following this article:

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Security-Vulnerability-Policy/ta-p/1713...

You have further information on our product security at: https://www.qlik.com/us/trust

Thanks for your collaboration.

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer

View solution in original post

Albert_Candelario · ‎2023-05-26