Skip to main content
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
Sonja_Bauernfeind
Digital Support
Digital Support

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

53 Comments
Sonja_Bauernfeind
Digital Support
Digital Support

You're welcome, @hillarynyawate !

1,118 Views
hillarynyawate
Contributor III
Contributor III

Hi @Sonja_Bauernfeind ,

I managed to upgrade Qlik sense enterprise from 2021 to 2022 but now am getting an error of "backup failed"  while running the PostgreSQL installer to upgrade the Repository database from version  12.5 to 14.

The logs say that the user was denied access from stopping Qlik sense repository database service. Although the user has full admin rights.

Kindly assist on how to solve this.

 

1,028 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @hillarynyawate 

Are you running it As Administrator (so, right-click, run as admin) rather than simply with a user logged in who is admin or has the permissions? It's crucial to specifically "run as admin".

If you are and you continue to get the error, please contact support (use the Chat Now) button to begin an investigation.

All the best,
Sonja 

959 Views
bearschoice
Partner - Contributor II
Partner - Contributor II

Was there any official word from Qlik other than through these community pages to warn users, customers and, last of all, resellers that there was a potentially considerable security flaw in their product?

Are we seriously expected to trawl through these pages to find out if the software is safe to deploy? Or am I missing something? - I seriously hope I am.

891 Views
al
Employee
Employee

Hi @Sonja_Bauernfeind

According to what I read on the following community posts

 QSEoW November 2022 SR 11 should not be impacted by the following vulnerabilities :

CVE-2023-41266
CVE-2023-41265

While vulnerability:

CVE-2023-48365

was only mitigated starting from patch 12. Can you please confirm that this is the case?

Thanks !
Al

724 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @al 

November 2022 Patch 11 fixed CVE-2023-41266 (QB-21220) and CVE-2023-41265 (QB-21222). See the Release Notes.
November 2022 Patch 12 fixed CVE-2023-48365 (QB-21683). See the Release Notes.

Patches are accumulative, so anything from patch 11 is included in patch 12.

All the best,
Sonja 

692 Views
Filip_Albulescu
Contributor
Contributor

Hello,

Does NPrinting also need to be update?

Regards,

Filip

566 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@Filip_Albulescu 

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products, including Qlik Cloud and QlikView (or NPrinting in your specific question), are NOT impacted.

All the best,
Sonja

532 Views
RajaDumpa
Contributor III
Contributor III

Hi @Sonja_Bauernfeind  : We are already on February  2023 Patch 10, not sure if the article is suggesting us to install Patch 8 or  Do we need to upgrade to Aug 2023 IR? 

 

RajaDumpa_0-1711995199473.png

 

223 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @RajaDumpa 

If you are on February 2023 Patch 10, the you already have the security patch included. More importantly, it also includes CVE-2023-48365. There is no crucial need to upgrade to another major release.

All the best,
Sonja 

138 Views