- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vulnerabilities on libcurl.dll
During our regular scans we found some vulnerabilities on libcurl.dll (cve mentioned below), we are using the qliksense version - 14.78.23 (August 2022 patch 16).
The recommendation is to upgrade to libcurl 8.4.0. Please suggest if there are any patches available for upgrading libcurl.
CVE-2023-38545 (Heap Buffer Overflow)
CVE-2023-38546 (Cookie Injection)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Sangeeta This is not officially found by Qlik what I see, https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enter...
If you feel anything, please reach to your success engineer from Qlik.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same here: CVE-2023-38545, Qlik Sense Enterprise on Windows February 2024 14.173.3
Scan found affected libcurl.dll versions in
C:\Program Files\Common Files\Qlik\Custom Data\QvOdbcConnectorPackage\...
Search of Qlik Community did not produce any references to CVE-2023-38545.
What would be a solution here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sangeeta,
I don’t think Qlik will provide a patch since release August 2022 is no longer supported since August 2024.
I think you need to update your Qlik Environment. The libcurl.dll ist stored in some places on Windows, Qlik and Postgres related paths (search on your filesystem and check the file properties “Details”- Version).
On my VM for testing I have May 2024 and PostgrSQL 14 and none of the different libcurl.dlls are lower than 8.4.0 …
Best reagrds
Thomas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an old post, we moved to May2024 patch 11 already and now there are new vulnerabilities on 8.4.0 which is fixed in version 8.9.1 so we are waiting for new patch.