Skip to main content
Announcements
See why Qlik was named a Leader in the 2024 Gartner® Magic Quadrant™ for Data Integration Tools for the ninth year in a row: Get the report
Sonja_Bauernfeind
Digital Support
Digital Support

Edited 20th November 2023: CVE number updated.
Edited December 1st 2023: Added November 2023 IR release

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in the Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16


No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. The listed fixes also address CV-2023-41266 and CVE-2023-41265 (link).

  • November 2023 IR
  • August 2023 Patch 2
  • May 2023 Patch 6
  • February 2023 Patch 10
  • November 2022 Patch 12
  • August 2022 Patch 14
  • May 2022 Patch 16
  • February 2022 Patch 15
  • November 2021 Patch 17
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software. Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) is disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

49 Comments
GeorgeSavu
Contributor II
Contributor II

Looks like we have the first cases of the exploits being used in the wild 

CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks (thehackernews.com)

so do not postpone and apply the patch .

1,975 Views
Proginov
Partner - Contributor II
Partner - Contributor II

Why is the February 2023 patch (Patch 11) dated from November the 1st, and for May2023/August2023/... the last fix is dated 29th of November ?

Do the Patch 11 of Feb2023 protect from the last CVE discovered ?

Thanks.

1,912 Views
steeefan
Luminary
Luminary

According to this post, it does. Refer also to the release notes of February 2023 and look for QB-21220, QB-21222 and QB-21683.

1,860 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Proginov 

As @steeefan has already pointed out, yes, the February 2023 patch 11 includes all three fixes as per the security bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365)

All three Qlik internal IDs (QB-21683, QB-21220, and QB-21222) are listed accordingly in the February 2023 Release Notes. Patches are accumulative, so every fix listed in the previous patches is automatically included in the later patch as well. You can find QB-21683 listed in the Patch 10 section and QB-21220 and QB-21222 in the Patch 8 section.

All the best,
Sonja 

 

1,794 Views
sri_c003
Partner - Creator II
Partner - Creator II

sri_c003_0-1701358338446.png

I see the patches for Feb 2022 and Feb 2023 dated Nov 1st. This issue was published on Nov 30th. Can anyone from Qlik confirm these patches fix the issue, or if a new patch would be released for the same.

 

 

1,781 Views
Miguel_Angel_Baeyens

For clarity, the website article has been released today, but the CVEs were notified in Qlik Community articles a couple of months ago and then updated (articles such as this one show 2 dates, original publication -Sep. 20-  and upated on -Nov. 20-).

EDIT: Another article was published on Aug. 29: https://community.qlik.com/t5/Support-Updates/Qlik-Sense-Enterprise-for-Windows-New-Security-Patches.... All the articles are linked in the OP.

1,725 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @sri_c003 

@Miguel_Angel_Baeyens got it right. The article (edit: not Qlik's article, the external article) was released today (Nov 30), but the fixes for the CVEs which are listed were all done previously.

CVE-2023-41266 (QB-21220) and CVE-2023-41265 (QB-21222) were released on August 31st.
CVE-2023-48365 (QB-21683) was released on September 20th.

All the best,
Sonja 

1,686 Views
sri_c003
Partner - Creator II
Partner - Creator II

@Sonja_Bauernfeind 

The last CVE published was Sep 20th, and I see patch 15 for Feb 2022 and Patch 10 for Feb 2023 released on the same date (Sep 20th).

Would these p15 and p10 for Feb 23 and Feb 22 Qlik versions remediate these items mentioned?

1,576 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @sri_c003 

Yes, they do. You can verify the same by reviewing the release notes for these products.

All three Qlik internal IDs (QB-21683, QB-21220, and QB-21222) are listed accordingly in the February 2023 and February 2022 Release Notes. Patches are accumulative, so every fix listed in the previous patches is automatically included in the later patch as well.

For February 2023, you can find QB-21683 listed in the Patch 10 section and QB-21220 and QB-21222 in the Patch 8 section. For February 2022, you can find QB-21683, QB-21220, and QB-21222 listed in the Patch 15 section. 

All the best,
Sonja 

1,533 Views
PeterOG
Contributor
Contributor

Hi @Sonja_Bauernfeind If we install a specific update, such as Patch 10, and subsequently a new update, like Patch 11, is released for a different issue, will the security features from Patch 10 be retained in Patch 11?

 

Edit: 

I might have an answer. According to @Sonja_Bauernfeind  in one of her responses in this thread, patches are cumulative. Therefore, any security fixes from previous patches will be preserved in subsequent patches.

peter_galimutti_1-1701440919256.png

 

1,297 Views