Skip to main content
Announcements
Global Transformation Awards! Applications are now open. Submit Entry
Sonja_Bauernfeind
Digital Support
Digital Support

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

61 Comments
Tamal_B
Contributor
Contributor

Hi @Sonja_Bauernfeind,

We are using May 2022 version in Qlik Sense Enterprise on Windows and Version upgrade will take huge time including Customer agreement/confidence on version upgrade, Testing, Customer sign off and all.

When we discussed this with Customers earlier, they like the May 2022 patch 8 stable version and don't want to break any existing functionality by simply going to higher version.

As May 2022 is under support, we would really want to have the patch for May 2022 version to fix these vulnerabilities more quickly. 

3,070 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@sri_c003 and @Tamal_B 

While no patches are currently listed for older, Qlik is actively investigating the possibility of patching older releases. We do not yet have fixed dates. This blog post will be updated once we have more information.

All the best,
Sonja 

2,958 Views
sri_c003
Partner - Creator II
Partner - Creator II

@Sonja_Bauernfeind  Any update on Feb 2022 patch would be greatly appreciated.

2,541 Views
EliGohar
Partner - Creator III
Partner - Creator III

@Sonja_Bauernfeind Any update on a patch for the May 2022 version? We are working in OEM method (with on-prem versions) and it isn't very easy for us to move our customers instantly to higher versions... 

2,275 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @EliGohar and @sri_c003 We will be updating the blog post and tag you as soon as we know more.

2,103 Views
AmanMashi37
Contributor
Contributor

Hi @Sonja_Bauernfeind 

  1. Is vulnerability mitigated after applying above mentioned patch.
  2. Help check the server logs in case the vulnerability is exploited by any intruder.
  3. Critical vulnerability alert by Qlik : We do not receive any alert, please help enable the alert so that we receive proactive alerts.

Also, to further strengthen the controls, please confirm below :

 

    1. Does Qlik sense supports authentication using Azure Active Directory and MFA ?
    2. Please share steps to configure AAD and MFA authentication.

 

1,965 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @AmanMashi37 

On 1.: Correct, the vulnerability is mitigated after you have applied the patches mentioned above.
On 2. and 3.: I will come back with answers on these.

On your additional questions: Here is documentation regarding Qlik Sense Enterprise on Windows with Azure AD: Tutorial: Azure AD SSO integration with Qlik Sense Enterprise Client-Managed (learn.microsoft.com). Regarding MFA: Is it possible to set up multi-factor authentication and max login attempts in Qlik Sense? 

Note that neither Azure AD nor MFA have an impact on this vulnerability. All authentication methods are affected.

1,918 Views
jesperclausen
Partner - Contributor II
Partner - Contributor II
August-2023 Initial release seems to be missing from Download

I have logged in and tried to select Qlik Sense Enterprise for Windows August-2023 Initial Release.

Doesn't seem to be available. See attached .png below.

Can we have the Initial release made available again or is there another way to upgrade?

Br Jesper Clausen, S-cubed 

jesperclausen_0-1694768188960.png

 

 

1,707 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @jesperclausen 

I have reported this to our download site team. It seems the IR is not listed when you have the default latest releases and latest patch selection active. If you change this selection to All releases with latest patch and select August 2023 you will have easy access to both the IR download and patch download.

Sonja_Bauernfeind_0-1694768737527.png

 

1,670 Views
jesperclausen
Partner - Contributor II
Partner - Contributor II

Thanks for your quick and well illustrated answer. 😀

It solved my problem and hopefully the Release  Team will quickly fix the situation, so others don't waste time searching for a solutions. 🏇

1,639 Views