Qlik Community

Support Updates Blog

Important and useful support information about end-of-product support, new service releases, and general support topics.

Announcements
Customers, Partners & Luminaries only: You're invited to a Data Analytics Roadmap session. Read More
Support
Support

Qlik releases new QlikView Service Releases and new Qlik Sense Patches to address a security vulnerability.

Dear Qlik users,

Today we have released four new service releases across all currently supported major versions of QlikView* and six new patches across the latest versions of Qlik Sense. If you are using the following versions, this information is for you:

  • QlikView 11.20
  • QlikView 12.00*
  • QlikView 12.10
  • QlikView 12.20
  • QlikView 12.30
  • Qlik Sense Enterprise any 2017 version or prior
  • Qlik Sense Enterprise February 2018
  • Qlik Sense Enterprise April 2018
  • Qlik Sense Enterprise June 2018
  • Qlik Sense Enterprise September 2018
  • Qlik Sense Enterprise November 2018
  • Qlik Sense Enterprise February 2019 

These new service releases and patches include a fix for a security vulnerability, details of which can be found in Security Bulletin SB 000069985.

Known internally as QLIK-94388, each new service release and patch includes, at the minimum, the fix for this vulnerability. The patches for the following Qlik Sense releases also includes other, non-security related product defect fixes.

  • June 2018 Patch 3
  • September 2018 Patch 4
  • November 2018 Patch 4

For details, please see the attached release notes.  For all other release notes, please refer to our download site.

Please note this patch is branched directly for the latest patch. For example, by applying Qlik Sense February 2019 Patch 2, you will also receive every fix released in Qlik Sense February Patch 1. For more details about the fixes applied in the previous patch(es), please have a look at the release note. 

The information in this post and Security Bulletin 000069985 are disclosed in accordance with our published Security and Vulnerability Policy.

 

Updated 5/1/2019: For further reference, we have created a list of frequently asked questions and answers which can be found here SB 000069985 FAQ.  

 

* QlikView 12.00 is no longer officially supported.   QlikView 11.20 is under Extended Support.

24 Comments
Specialist III
Specialist III

Installing the latest patch of Sense February 2019 changed all of the default app images without any sort of warning. Not nice! Just spent an hour scrambling to change them back, one at a time, to the previous default of Qlik circles to avoid confusing the user base...

 

6,599 Views
Master III
Master III

Is it changing all the app icons including customized one or just the one which had default circle icons?

6,488 Views
Specialist III
Specialist III

@Digvijay_SinghI can't say, we were happy with the original default of circles so we never set up customized ones.

6,476 Views
Partner
Partner

Hey @Or ,

are those the same previews available on new apps Qlik Cloud? 
@Digvijay_Singh from what I've seen on release September 2018, after installing the latest Patch the default thumbnails and also the customized ones are still the same. It could be an issue depending on specific releases

Riccardo

6,371 Views
Partner
Partner

I'm trying to get more information concerning this issue, so I can figure out the impact.

But the information about this issue is minimal.

I’d like to know what kind of files users might be able to access, they are talking about files being hosted by the server. Is this the files only hosted on the Qlik webserver site, or also files mounted in certain areas?

0 Likes
6,329 Views
Specialist III
Specialist III

I don't have a lot of information to help with, just my own upgrade (on premise, February 2019 just upgrading to the patch). We've noticed two things:

  • Default images have changed for all apps (we don't know if non-default images changed). It is possible to manually re-set each app to the original default (Qlik circles).
  • It seems it is no longer possible to see content in other people's Work stream from Hub - we have a user with permissions for everything in hub (* on all) and that user now only sees their own work stream.

 

Insofar as the bug in question, given that it's URL manipulation, I wouldn't expect Qlik to share the specific details as this would allow anyone with the details to easily abuse unpatched versions...

6,305 Views