Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
cancel
Showing results for 
Search instead for 
Did you mean: 
C-Hopf
Partner - Contributor II
Partner - Contributor II

Critical vulnerability in Javascript library!

Hi,

what version of node.js/VM2 is currently being used with qlik sense products and when will there be an update. Since we are in the hospital sector, this is important for our customers. I had already opened a ticket with support, but they think it is not an incident and I should contact the community?!?

Here are the information about the Critical vulnerability in Javascript library:

CVE: CVE-2023-29017 / CVE-2023-29199 / CVE-2023-30547 / CVE-2023-32314
Scope: Remote Code Execution
Affected versions: Javascript library vm2 < 3.9.18
Suggested Action: Update to current version 3.9.18, No known workarounds

F.e.:
For the listed system, we were able to identify that the server was running a NodeJS server.
Node.js version:  14.17.6

File path:   C:\Program Files\Qlik\Sense\ServiceDispatcher\Node\node.exe

Thank you in advance!

br

Christian

Labels (2)
1 Solution

Accepted Solutions
Albert_Candelario

Hello @C-Hopf,

Thanks for posting.

I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.

As we can see other modules been used like the ones listed inside this path:

...\NotifierService\node_modules

If you have a report indicating that such library been used, please do open a case with us immediately following this article:

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Security-Vulnerability-Policy/ta-p/1713...

You have further information on our product security at: https://www.qlik.com/us/trust

Thanks for your collaboration.

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer

View solution in original post

1 Reply
Albert_Candelario

Hello @C-Hopf,

Thanks for posting.

I did scanned the installed files of Qlik Sense client managed and not found the node module named vm2 in any folder.

As we can see other modules been used like the ones listed inside this path:

...\NotifierService\node_modules

If you have a report indicating that such library been used, please do open a case with us immediately following this article:

https://community.qlik.com/t5/Official-Support-Articles/Qlik-Security-Vulnerability-Policy/ta-p/1713...

You have further information on our product security at: https://www.qlik.com/us/trust

Thanks for your collaboration.

Cheers,

Albert

Please, remember to mark the thread as solved once getting the correct answer