Skip to main content
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
Sonja_Bauernfeind
Digital Support
Digital Support

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

61 Comments
starke_be-terna
Partner - Contributor III
Partner - Contributor III

Hi @Sonja_Bauernfeind !

Thank you for notifying us on this issue!
Will you release a patch for the other versions under support?

Best regards,
Benjamin 

Example May 2022:

starke_beterna_0-1693316511151.png

 

14,939 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @starke_be-terna 

We'll get back to you.

All the best,
Sonja 

14,742 Views
jeremyseipel
Partner - Contributor III
Partner - Contributor III

Thanks for looking into this @Sonja_Bauernfeind .  I expect there are many Qlik environments out there requiring major version upgrades if Aug 2022 is the oldest supported for the patch.

Is there anything outside of the patch that can be done as a temporary holdover until the patching/upgrades can be completed?

14,660 Views
Lokeshb31
Contributor III
Contributor III

Hi,

It is mentioned in VRR details about HTTP requests exploitation. We are using SAML for external user authentication. Will there be any issue? 

14,494 Views
sri_c003
Partner - Creator II
Partner - Creator II

Can you please provide a patch for Feb 2022 (still under support period). Is there any ETA?

14,439 Views
RaviGinqo
Partner - Contributor II
Partner - Contributor II

Hi @Sonja_Bauernfeind ,

 

Do you think that this impact all the Qlik Environments irrespective of their authentication method - Windows/Forms/SAML/OIDC etc. ? or it impacts windows and Forms authentication the most.

Does it still impact if Allow HTTP is explicitly disabled on all the environments? Majority of the environments uses HTTPS only.

 

Thanks

Ravi

14,347 Views
Yossi
Contributor II
Contributor II

Does Qlik Sense Enterprise Earlier versions affected? for example May 2022

13,762 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Yossi @RaviGinqo @sri_c003 @Lokeshb31 @jeremyseipel I am working on getting you the answers.

13,699 Views
paulselousyoriz
Partner - Contributor III
Partner - Contributor III

We have a similar question to other people - we are running  the QS November 2021 version. We plan to migrate to a latest version before November 2023, but we that is not scheduled until October. We would much prefer to install a patch for the November 2021 version rather than having to bring forward the migration to a latest version of QS.

13,555 Views
markus3
Contributor
Contributor

Hi @Sonja_Bauernfeind,

Will you also publish the answer here? I have the same question as @RaviGinqo.

Best regards
Markus

13,381 Views