Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted Edited November 21st, 8:40 CET: Added clarification to apply the latest patches
Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
May 2023 Patch 3
February 2023 Patch 7
November 2022 Patch 10
August 2022 Patch 12
All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases.
No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix.
August 2023 Initial Release
May 2023 Patch 4
February 2023 Patch 8
November 2022 Patch 11
August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.
No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.
What authentication methods are affected?
All authentication methods are affected.
Are environments with HTTP disabled impacted?
Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.
These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.
@Sonja_Bauernfeind : Thank you for the insight. Our security server scan tools are still listing the Qlik servers as vulnerable. Are there any other technical details from the installed version that we can present to Security teams to show that HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows has been addressed.
Automated translation: Les correctifs répertoriés dans Correctifs de sécurité critiques pour Qlik Sense Enterprise pour Windows (CVE-2023-48365) corrigent CVE-2023-41266, CVE-2023-41265 et CVE-2023-48365. Le patch 6 de mai 2023 est le patch que vous utilisez déjà, vous êtes donc couvert pour les trois vulnérabilités.
Security Vulnerability Assessment for PostgreSQL (CVE-2024-7348).
Could you please check if we are vulnerable to the PostgreSQL issue detailed in the links below? If we are, kindly provide the necessary actions we need to take and specify which servers are affected. Qlik Sense in using 14.8 by installation, and the fix is in version 14.13.
PostgreSQL Security Advisory
EnterpriseDB Security Assessment
Thank you for your prompt attention to this matter.
@JacovCohenQ - I think the advice would generally be to decouple your Postgres install from your Qlik Sense one - especially if you are needing to keep up with the latest Postgres security patches. Qlik do bundle the installer and also provide a separate Qlik Postgres installer, but for full control & the latest updates you're going to get a better result from managing it separately (just make sure it's a supported version).
Obviously Qlik should upgrade the version of Postgres in use - although they're most likely to do that in a major release rather than security patch due to the potential complexities involved.
As you mention above "Qlik do bundle the installer and also provide a separate Qlik Postgres installer".
we expect to get QPI for this update (14.13), rather than to update all our customer's Postgres manually (1000+), furthermore, upgrade those Postgres may lead to unsupported environment, regarding to Qlik documents.
Please advise how we can proceed ?
Note that we've some concerned customers who expecting to get quick resolution for - Security Vulnerability Assessment for PostgreSQL (CVE-2024-7348).
Managing it fully outside Qlik's installers will always give more control but also always include more work. Even QPI can require some manual steps as it has some unsupported setups (non-default install locations) - but at least it supports silent install now.
As for compatibility with Qlik Sense, as long as you stay on 14.x not going to later versions, this is listed as supported.
