Skip to main content
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
Sonja_Bauernfeind
Digital Support
Digital Support

Edited 20th November 2023: CVE number updated.
Edited December 1st 2023: Added November 2023 IR release

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in the Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16


No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. The listed fixes also address CV-2023-41266 and CVE-2023-41265 (link).

  • November 2023 IR
  • August 2023 Patch 2
  • May 2023 Patch 6
  • February 2023 Patch 10
  • November 2022 Patch 12
  • August 2022 Patch 14
  • May 2022 Patch 16
  • February 2022 Patch 15
  • November 2021 Patch 17
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software. Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) is disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

49 Comments
Lokeshb31
Contributor III
Contributor III

We just updated Qliksense to Aug 2022 patch13 as per recommended fix and now there is another one. It takes time to plan downtime and upgrade in production cluster. Did we not test end to end before prior patch? Will it be now permanent fix? 

5,367 Views
parkera
Partner Ambassador
Partner Ambassador

Hello,

At Differentia Consulting we service hundreds of customers from a Qlik Support perspective, and clearly Qlik thousands.  The issue is not so much Qlik, but the bad actors and risks that need to be addressed, coupled with individual organisation security compliance for things such as ISO, and in the UK Cyber Essentials Plus accreditation compliance.

What Qlik does state is that the risk is one that is made real when the Qlik server is exposed to the public domain and thus providing an attack surface, or vector, for bad actors to do their worse. What you can do to help mitigate the risk is to not expose your IP address of your Qlik servers. Using reverse proxy and zero trust solutions such as OpenZiti (which we use, and sell).  These do not make the problem go away-entirely, they simply reduce the risk.  OpenZiti Zero Trust totally obfuscates the IP address of the server and access to it unless you have end to end approval to do so, which OpenZiti grants (without performance degradation).  

 

Given that Qlik (and others) can only patch known risks, we are all exposed, all of the time, to unknown risks. An obvious statement, but one where you have to ask yourself do you actually need your Qlik server IP to be in the public domain? 

Patching should be done weekly across all systems, including Qlik, for compliance. Testing is always an issue, but I would rather risk a functionality issue (very rare) over a security issue (common). That said, being pragmatic we would not recommend upgrading to any Qlik .0 releases, instead wait for SP2+ before doing so, unless tested.

Your security posture ie striking the right balance and staying compliant is hard, and compliance can be costly. This is just one of the many benefits of porting to Qlik Cloud, no server maintenance. Just a thought.

Best always is to imagine how you would feel if Qlik was the source of a network cyber attack and work from there.  FYI Many of our clients have had enterprise wide attacks, always from hacked software vendor software updates.  Given that we aim to deploy Qlik with security air gaps , then Qlik has been the saviour to help those organisations return to the last known state. As well as effect client communication. Qlik can actually help with reputational damage-limitation during and the days (and months) after a cyber attack. Something that I have written about many times. Qlik Cloud? :

Hope my ramblings help with perspective.

4,658 Views
AlexOmetis
Partner Ambassador
Partner Ambassador

@Lokeshb31 This addresses a different issue from the last patch. I assume Qlik didn't know about this additional issue at the time of working on the previous patches or was unable to develop a fix in time. Whilst it would be nice not to have to patch twice in a month, I don't think this is a failure in testing, just a sign that someone (Praetorian) is taking a close look at the security of Qlik Sense which is leading to improvements for all of us - it's actually good news! 

That's my take on it anyway!

5,214 Views
Lokeshb31
Contributor III
Contributor III

Never Mind! In fact its good that Praetorian identified this additional issue however I just hope there will not be any more in line. My request to Qlik is to confirm thoroughly and provide additional guidelines to customers accordingly since any upgrade involves effort estimation, approvals, dependencies, backups, change management, testing, sing off etc.  

5,174 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Lokeshb31 Alex has summarised the situation well. Can you let me know what exact guidelines you are looking for? 

All the best,
Sonja 

5,129 Views
SimonMinifie
Partner - Contributor III
Partner - Contributor III

@Lokeshb31 Sing off? Your change management process sounds way more fun than mine!

5,086 Views
parkera
Partner Ambassador
Partner Ambassador

I replied to another thread on this subject about the real threat/risk, the exposing of of Qlik servers with public facing IP addresses. Which basically exposes the front door (attack surface) to would-be hackers (do a search on your favourite search engine and you can find them).  IMO Clients need to use a reverse proxy service as a minimum (such as Cloudflare's), or better still adopt full IP obfuscation using a ZeroTrust solution like OpenZiti (which we use for all client engagements, and sell-as well as it being open source, as it protects all connected services). 

The US Government is mandating the use of zero trust solutions to all its IT service suppliers by March 2024.

Note: Many clients use legacy hardware based VPNs which have many associated issues relating to performance and if hardware based create yet another attack vector, and costly - so not ideal.

The above does not avoid the need to patch, simply reduces the risk. I also mentioned that IMO again it is better to patch then test, than test and patch, illogical I know, provided that Qlik software is at least at SP2 there should be no issue and if there is you have P1 support from Qlik.  Patches however should have no impact on functionality.

Look at it this way: I would rather explain broken functionality than have to explain why the business had an attack.

Many IT professionals need to work more pragmatically with their security teams, again IMO to get used to the new patching cadence that should be expected from all on-premise vendor software. And do please get those domains obfuscated with the right Zero Trust solution.

If it is not for you, then there is Qlik Cloud 🙂 

5,019 Views
Lokeshb31
Contributor III
Contributor III

@Sonja_Bauernfeind : Guidelines about vulnerability testing if any or I would sync up with our security team and get it done. I just hope there will not be any additional round of patching or VRR after this one.

@SimonMinifie : We need to install any patch in non-prod first and take business sign off post testing. 

@parkeg : Thanks for details.

4,975 Views
jeremyseipel
Partner - Contributor III
Partner - Contributor III

I can submit this to support, but Is anyone else seeing version number differences in the QMC and the Hub after applying May 2023 Patch 6 (14.129.12)?  The qmc shows patch 6 and the hub shows patch 5 for version.

4,846 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @jeremyseipel 

Let me test this for you. 

All the best,
Sonja 

4,825 Views