Skip to main content
Announcements
Global Transformation Awards submissions are open! SUBMIT YOUR STORY
cancel
Showing results for 
Search instead for 
Did you mean: 
Sangeeta
Contributor II

Vulnerabilities on libcurl.dll

During our regular scans we found some vulnerabilities on libcurl.dll (cve mentioned below), we are using the qliksense version - 14.78.23 (August 2022 patch 16).

The recommendation is to upgrade to libcurl 8.4.0. Please suggest if there are any patches available for upgrading libcurl.

CVE-2023-38545 (Heap Buffer Overflow)

CVE-2023-38546 (Cookie Injection)

Labels (1)
4 Replies
Anil_Babu_Samineni

@Sangeeta This is not officially found by Qlik what I see, https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enter...

If you feel anything, please reach to your success engineer from Qlik.

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful
dmitri_volkov
Contributor III

Same here: CVE-2023-38545, Qlik Sense Enterprise on Windows February 2024 14.173.3

Scan found affected libcurl.dll versions in

C:\Program Files\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage\...

Search of Qlik Community did not produce any references to CVE-2023-38545.

What would be a solution here?

Thomas_Rieck_MW
Partner - Contributor

Hi Sangeeta,

I don’t think Qlik will provide a patch since release August 2022 is no longer supported since August 2024.

I think you need to update your Qlik Environment. The libcurl.dll ist stored in some places on Windows, Qlik and Postgres related paths (search on your filesystem and check the file properties “Details”- Version).

Thomas_Rieck_MW_0-1736950238352.png

 

On my VM for testing I have May 2024 and PostgrSQL 14 and none of the different libcurl.dlls are lower than 8.4.0 …

Best reagrds

Thomas

Sangeeta
Contributor II
Author

This is an old post, we moved to May2024 patch 11 already and now there are new vulnerabilities on 8.4.0 which is fixed in version 8.9.1 so we are waiting for new patch.