Skip to main content
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
Sonja_Bauernfeind
Digital Support
Digital Support

Edited 20th November 2023: CVE number updated.
Edited December 1st 2023: Added November 2023 IR release

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in the Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16


No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. The listed fixes also address CV-2023-41266 and CVE-2023-41265 (link).

  • November 2023 IR
  • August 2023 Patch 2
  • May 2023 Patch 6
  • February 2023 Patch 10
  • November 2022 Patch 12
  • August 2022 Patch 14
  • May 2022 Patch 16
  • February 2022 Patch 15
  • November 2021 Patch 17
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software. Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) is disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

49 Comments
GeorgeSavu
Contributor II
Contributor II

Hi @Sonja_Bauernfeind ,

Do you have any updates about the question that @C-Hopf had about the PostgreSQL security vulnerability ?

Best Regards,

George  

1,132 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @GeorgeSavu 

I have checked in with our subject matter experts, and my original message is still accurate. Unbundling PostgreSQL using QPI allows for direct control of your PostgreSQL instance and facilitates maintenance without a dependency on Qlik Sense. Further Database upgrades can then be performed independently and in accordance with your corporate security policy when needed, as long as you remain within the supported PostgreSQL versions. See How To Upgrade Standalone PostgreSQL. If you are looking for information on how to achieve the same without QPI, see How to configure Qlik Sense to use a dedicated PostgreSQL database .

This PostgreSQL CVE is not related to the CVEs discussed in this blog post. For further questions regarding it please either post a new thread in our Deployment and Management forum or contact Qlik Support.

All the best,
Sonja

 

1,097 Views
Filip_Albulescu
Contributor
Contributor

Hello,

Short questions, is this strictly for Qlik Sense or should Qlik NPrinting also be updated?

Regards,

Filip

1,034 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@Filip_Albulescu 

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products, including Qlik Cloud and QlikView (or NPrinting in your specific question), are NOT impacted.

All the best,
Sonja

1,004 Views
Mahamed_Qlik
Specialist
Specialist

Hi Sonja,

 

Its helpful. We have upgraded our version according to fix you have mentioned above.

One thing want to ask after upgrade how can we validate if the fix is applied or how can we test the environment to make sure the applied fix is the permanent solution for such issue.

 

887 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Mahamed_Qlik 

Qlik recommends reviewing Praetorian's information regarding the vulnerability, which includes details on how to identify it.

All the best,
Sonja 

696 Views
Mahamed_Qlik
Specialist
Specialist

Thanks Sonja for this reference URL and also it is informative for such critical issue.

However, I found the information is little complex to understand on first time or may be it is more understandable to relative engineers.

I can wait till the time Qlik presents this solution in simple form which will be easy to understand in quick manner.

Thanks again for the information and I am sure many people will take benefit of your reference post.

Happy new year ..!!!

 

533 Views
David14
Contributor
Contributor

Hi @Sonja_Bauernfeind,

Please help me understand the timeline correctly. This page was posted 20th September, right? Was the issue, that was later assigned CVE-2023-48365, already known at that time? Or put another way... Was the patch August 2023 Patch 2 described as a security patch from the beginning?

370 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @David14 

This alert (from the 20th of September) is about CVE-2023-48365 specifically. The blog post was, however, originally posted without a CVE number, as Qlik did not receive a CVE number until later. You can, however, find Qlik's internal issue ID in the Security Bulletin as well as in the release notes: QB-21683.

The August 2023 Patch 2 was not merely a security patch. It included a wider range of fixes.

I hope this answers the question. Should I have misunderstood something, please let me know. 

All the best,
Sonja 

 

 

332 Views