Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
August 2023 Patch 1
May 2023 Patch 5
February 2023 Patch 9
November 2022 Patch 11
August 2022 Patch 13
May 2022 Patch 15
February 2022 Patch 14
November 2021 Patch 16
No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. The listed fixes also address CV-2023-41266 and CVE-2023-41265 (link).
November 2023 IR
August 2023 Patch 2
May 2023 Patch 6
February 2023 Patch 10
November 2022 Patch 12
August 2022 Patch 14
May 2022 Patch 16
February 2022 Patch 15
November 2021 Patch 17
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.
Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software. Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.
No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.
What authentication methods are affected?
All authentication methods are affected.
Are environments with HTTP disabled impacted?
Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.
These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.
All three Qlik internal IDs (QB-21683, QB-21220, and QB-21222) are listed accordingly in the February 2023 Release Notes. Patches are accumulative, so every fix listed in the previous patches is automatically included in the later patch as well. You can find QB-21683 listed in the Patch 10 section and QB-21220 and QB-21222 in the Patch 8 section.
I see the patches for Feb 2022 and Feb 2023 dated Nov 1st. This issue was published on Nov 30th. Can anyone from Qlik confirm these patches fix the issue, or if a new patch would be released for the same.
For clarity, the website article has been released today, but the CVEs were notified in Qlik Community articles a couple of months ago and then updated (articles such as this one show 2 dates, original publication -Sep. 20- and upated on -Nov. 20-).
@Miguel_Angel_Baeyens got it right. The article (edit: not Qlik's article, the external article) was released today (Nov 30), but the fixes for the CVEs which are listed were all done previously.
CVE-2023-41266 (QB-21220) and CVE-2023-41265 (QB-21222) were released on August 31st. CVE-2023-48365 (QB-21683) was released on September 20th.
Yes, they do. You can verify the same by reviewing the release notes for these products.
All three Qlik internal IDs (QB-21683, QB-21220, and QB-21222) are listed accordingly in the February 2023 and February 2022 Release Notes. Patches are accumulative, so every fix listed in the previous patches is automatically included in the later patch as well.
For February 2023, you can find QB-21683 listed in the Patch 10 section and QB-21220 and QB-21222 in the Patch 8 section. For February 2022, you can find QB-21683, QB-21220, and QB-21222 listed in the Patch 15 section.
Hi @Sonja_Bauernfeind If we install a specific update, such as Patch 10, and subsequently a new update, like Patch 11, is released for a different issue, will the security features from Patch 10 be retained in Patch 11?
Edit:
I might have an answer. According to @Sonja_Bauernfeind in one of her responses in this thread, patches are cumulative. Therefore, any security fixes from previous patches will be preserved in subsequent patches.
