Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
See why Qlik is a Leader in the 2024 Gartner® Magic Quadrant™ for Analytics & BI Platforms. Download Now
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-29 09:15 AM

Qlik Sense Enterprise for Windows - New Security Patches Available Now

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

30,789 Views
56 Comments
Thomas_Hopp
Employee
Employee
‎2023-08-30 09:14 AM

Hello everyone,

all prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

To be able to patch your environment right away, you have to make sure that you are updating first the major version to either:

  • August 2023
  • May 2023
  • February 2023
  • November 2022

We will update the blog post as new information is made available.

Best regards,

Thomas Hopp

2,679 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-30 10:02 AM

Hello @starke_be-terna @jeremyseipel @sri_c003 @Yossi @markus3 and @paulselousyoriz 

See the reply from Thomas Hopp in this comment. We have also updated the blog post to provide additional clarity.

All the best,
Sonja 

2,598 Views
markus3
Contributor
Contributor
‎2023-08-30 10:34 AM

Hi @Sonja_Bauernfeind,

Thanks for the reply! I was wondering specifically, since both vulnerabilities seem to affect HTTP, if I need to upgrade given that all my proxies are configured to not allow HTTP (i.e. HTTPS only).

Best regards
Markus

2,522 Views
sri_c003
Partner - Creator II
Partner - Creator II
‎2023-08-30 10:42 AM

Does this issue impact only forms based authentication, or does it impact header based too? We have HTTP disabled at virtual proxy level.

2,479 Views
acardella
Partner - Creator
Partner - Creator
‎2023-08-31 05:20 AM

Hi @Sonja_Bauernfeind,

let us know is the issue impact also for environments with HTTPS config (with HTTP disabled).

 

thanks

Agostino

2,175 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-31 05:54 AM

Hello @sri_c003 and @acardella I'm getting the answer together for you. Will tag you once I have it and update the blog post accordingly. 

All the best,
Sonja 

2,126 Views
Or
MVP
MVP
‎2023-08-31 06:08 AM

@Sonja_Bauernfeind Could you please try and find out if there's a firm release date scheduled for May 2023 SR5 and/or August 2023 SR2? Due to QB-20719 supposedly being fixed for those, I would prefer to patch directly to those versions.

Thanks!

2,094 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-31 06:58 AM

@jeremyseipel  On the question of possible workarounds as you wait for an upgrade:

An upgrade or patch is required to mitigate the vulnerability and no direct workaround is available. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

@Lokeshb31 @RaviGinqo @markus3 @sri_c003 @acardella  On the question of whether or not all authentication methods are affected and if environments with HTTP disabled are also impacted:

All authentication methods are affected, regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

All the best,
Sonja 

2,030 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-31 07:00 AM

@Or  We do not yet have a firm release date for May 2023 SR5 and August 2023 SR2, but we will be updating the blog post as soon as we know more.

2,020 Views
sri_c003
Partner - Creator II
Partner - Creator II
‎2023-08-31 11:13 AM

@Sonja_Bauernfeind 
Thank you checking the item for us.
Could you please let us know the patch release date for February 2022.

1,788 Views
Subscribe by Topic