Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Pamela_Whitney
Former Employee
Former Employee
‎2019-04-16 04:02 AM

QlikView and Qlik Sense - Important Security Fix now available in new Service Releases and Patches

Qlik releases new QlikView Service Releases and new Qlik Sense Patches to address a security vulnerability.

Dear Qlik users,

Today we have released four new service releases across all currently supported major versions of QlikView* and six new patches across the latest versions of Qlik Sense. If you are using the following versions, this information is for you:

  • QlikView 11.20
  • QlikView 12.00*
  • QlikView 12.10
  • QlikView 12.20
  • QlikView 12.30
  • Qlik Sense Enterprise any 2017 version or prior
  • Qlik Sense Enterprise February 2018
  • Qlik Sense Enterprise April 2018
  • Qlik Sense Enterprise June 2018
  • Qlik Sense Enterprise September 2018
  • Qlik Sense Enterprise November 2018
  • Qlik Sense Enterprise February 2019 

These new service releases and patches include a fix for a security vulnerability, details of which can be found in Security Bulletin SB 000069985.

Known internally as QLIK-94388, each new service release and patch includes, at the minimum, the fix for this vulnerability. The patches for the following Qlik Sense releases also includes other, non-security related product defect fixes.

  • June 2018 Patch 3
  • September 2018 Patch 4
  • November 2018 Patch 4

For details, please see the attached release notes.  For all other release notes, please refer to our download site.

Please note this patch is branched directly for the latest patch. For example, by applying Qlik Sense February 2019 Patch 2, you will also receive every fix released in Qlik Sense February Patch 1. For more details about the fixes applied in the previous patch(es), please have a look at the release note. 

The information in this post and Security Bulletin 000069985 are disclosed in accordance with our published Security and Vulnerability Policy.

 

Updated 5/1/2019: For further reference, we have created a list of frequently asked questions and answers which can be found here SB 000069985 FAQ.  

 

* QlikView 12.00 is no longer officially supported.   QlikView 11.20 is under Extended Support.

11,380 Views
24 Comments
Or
MVP
MVP
‎2019-04-21 10:55 AM

Installing the latest patch of Sense February 2019 changed all of the default app images without any sort of warning. Not nice! Just spent an hour scrambling to change them back, one at a time, to the previous default of Qlik circles to avoid confusing the user base...

 

7,796 Views
Digvijay_Singh
MVP
MVP
‎2019-04-22 10:15 AM

Is it changing all the app icons including customized one or just the one which had default circle icons?

7,685 Views
Or
MVP
MVP
‎2019-04-22 11:07 AM

@Digvijay_SinghI can't say, we were happy with the original default of circles so we never set up customized ones.

7,673 Views
rzenere_avvale
Partner - Specialist II
Partner - Specialist II
‎2019-04-23 02:56 AM

Hey @Or ,

are those the same previews available on new apps Qlik Cloud? 
@Digvijay_Singh from what I've seen on release September 2018, after installing the latest Patch the default thumbnails and also the customized ones are still the same. It could be an issue depending on specific releases

Riccardo

7,568 Views
nvankorlaar
Partner - Contributor III
Partner - Contributor III
‎2019-04-23 04:35 AM

I'm trying to get more information concerning this issue, so I can figure out the impact.

But the information about this issue is minimal.

I’d like to know what kind of files users might be able to access, they are talking about files being hosted by the server. Is this the files only hosted on the Qlik webserver site, or also files mounted in certain areas?

0 Likes
7,526 Views
Or
MVP
MVP
‎2019-04-23 05:08 AM

I don't have a lot of information to help with, just my own upgrade (on premise, February 2019 just upgrading to the patch). We've noticed two things:

  • Default images have changed for all apps (we don't know if non-default images changed). It is possible to manually re-set each app to the original default (Qlik circles).
  • It seems it is no longer possible to see content in other people's Work stream from Hub - we have a user with permissions for everything in hub (* on all) and that user now only sees their own work stream.

 

Insofar as the bug in question, given that it's URL manipulation, I wouldn't expect Qlik to share the specific details as this would allow anyone with the details to easily abuse unpatched versions...

7,502 Views
rzenere_avvale
Partner - Specialist II
Partner - Specialist II
‎2019-04-23 05:15 AM

I confirm the same behaviour with the Security Rule also on September 2018.
I believed it was related to the previous Patch, that was skipped for this last one.

0 Likes
6,705 Views
analienx
Contributor III
Contributor III
‎2019-04-23 06:57 AM

Hi @rzenere_avvale  indeed this is serious issue as you can read in my post :

https://community.qlik.com/t5/Qlik-Support-Updates-Blog/Qlik-Sense-November-2018-Patch-3-is-now-avai...

Since fixing security vulnerability is basically a must for most of companies one has to think about new development approach and security rules/custom properties change to adjust this.

 

0 Likes
6,661 Views
Ronnie_Taborn
Support
Support
‎2019-04-23 10:09 AM

Or,

Thank you  for bringing this to the attention of Qlik support. I work on the escalations team. Did you upgrade from an older version like November 2018 or September 2018 to February 2019?   

6,580 Views
Or
MVP
MVP
‎2019-04-23 10:47 AM

@Ronnie_TabornUpgraded from February 2019 to the current patch. I believe we had the initial release of February 2019 but I'm not entirely sure - this was a little bit of a rush job to squeeze the upgrade into a previously-scheduled maintenance window under the assumption that no significant testing would be required.

0 Likes
6,545 Views
Subscribe by Topic