Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-08-29 09:15 AM

Qlik Sense Enterprise for Windows - New Security Patches Available Now

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

28,437 Views
53 Comments
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-09-15 10:22 AM

Hello @AmanMashi37 

Help check the server logs in case the vulnerability is exploited by any intruder.

As for verifying pre and post patch, Qlik is aligned Praetorian. You can make use of their research, see Verifying Remediation Using Nuclei | praetorian.com.

Critical vulnerability alert by Qlik : We do not receive any alert, please help enable the alert so that we receive proactive alerts.

For security-related incidents, Qlik follows a Responsible Disclosure approach for any vulnerability that rates as High or Critical by our Software Security Office. This approach includes publishing a Security Bulletin to alert our customers and partners through a blog post, collaborating with the reporter of the vulnerability if applicable, creating software fixes as soon as possible, and/or providing mitigation until fixed.

All the best,
Sonja 

 

1,416 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-09-20 10:35 AM

 @starke_be-terna @sri_c003 @Yossi @paulselousyoriz @Tamal_B @EliGohar 

A new set of patches was released that addresses an additional vulnerability, and the previous ones are addressed here. The patches date back further to additional versions. See Qlik Sense Enterprise for Windows - New Security Patches Available Now.

(I am sorry I couldn't tag you, Or, but the tagging feature needs three letters and your name is not coming up in the recent selections.)

All the best,
Sonja 

1,282 Views
sri_c003
Partner - Creator II
Partner - Creator II
‎2023-09-20 10:47 AM

@Sonja_Bauernfeind 

Thank you for the Feb 2022 patch - February 2022 Patch 15

1,241 Views
john_oll
Partner - Creator
Partner - Creator
‎2023-10-04 04:22 AM

Please add the information, for multinode environments, in the original article,
if it is sufficient to install the SR on the central node,
OR
if it is necessary to install the SR also on the rim nodes!

(And please answer also the related question in
https://community.qlik.com/t5/Deployment-Management/Do-you-need-to-install-ServiceRelease-SR-Patches...
so people can find that information via google)

1,008 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-10-04 05:29 AM

Hello @john_oll As mentioned in the post by Miguel, all nodes must be on the same version. This is a general requirement, regardless of the type of patch. See Considerations about multi-node deployments.

I will run the suggestion to amend the article by our team.

 

964 Views
tchovanec
Creator II
Creator II
‎2023-11-30 03:36 PM

Do these versions also fix CVE-2023-48365?

724 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-01 02:35 AM

@tchovanec No, they do not. 

See Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) and the related announcement for details.

All the best,
Sonja

658 Views
hillarynyawate
Contributor III
Contributor III
‎2023-12-01 03:26 AM

Thank you @Sonja_Bauernfeind  for this information.

Does someone with an older version say Aug 2021 be able to upgrade to Aug 2023 directly?

Or which intermediate versions should be upgraded to first before the latest is reached, and could you share a tutorial on how to go about that? Thanks in advance for your continued support..

606 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-01 03:56 AM

Hello @hillarynyawate 

You can find information on how to best plan your upgrade path in Planning your upgrade. Which, in your case, would translate to:

  1. Upgrade from August 2021 to August 2022 IR
  2. Test
  3. Upgrade PostgreSQL to 14 (See Upgrading and unbundling the Qlik Sense Repository Database using the Qlik PostgreSQL Installer)
  4.  Test
  5. Upgrade to either August 2023 IR or November 2023 IR
  6. Test
  7. Patch to the latest available patch

If you need direct assistance with an upgrade, contact Professional Services.

All the best,
Sonja

 

 

 

 

563 Views
hillarynyawate
Contributor III
Contributor III
‎2023-12-01 04:02 AM

Hi @Sonja_Bauernfeind ,

Thank you for your prompt response, let me try to implement that.

531 Views
Subscribe by Topic