Skip to main content
Announcements
Save $600 on Qlik Connect registration! Sign up by Dec. 6 to get an extra $100 off with code CYBERSAVE: REGISTER
Sonja_Bauernfeind
Digital Support
Digital Support

Edited 20th of May 2024: Added recently assigned CVE number.
Edited 22nd of May 2024: Added to the Frequently Asked Questions.

 

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • February 2024 Patch 3 
  • November 2023 Patch 8 
  • August 2023 Patch 13 
  • May 2023 Patch 15 
  • February 2023 Patch 13 
  • November 2022 Patch 13 
  • August 2022 Patch 16 
  • May 2022 Patch 17

 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. May 2024 IR, released on the 14th of May, contains the fix as well

  • May 2024 Initial Release 
  • February 2024 Patch 4 
  • November 2023 Patch 9 
  • August 2023 Patch 14 
  • May 2023 Patch 16 
  • February 2023 Patch 14 
  • November 2022 Patch 14 
  • August 2022 Patch 17 
  • May 2022 Patch 18 
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Frequently Asked Questions

Q: What steps can be used to reproduce the vulnerability?
A: Qlik will not be providing steps on how to reproduce this test case.

Q: What authentication method is affected?
A: Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

Q: Will Qlik Sense February 2022 or earlier be patched?
A: See the Qlik Sense Enterprise on Windows Product Lifecycle (link) for information on what versions of Qlik Sense have reached End of Service (EOS). Versions which have reached EOS will not receive patches and Qlik strongly recommends moving to an up to date release.

 

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

 

Thank you for choosing Qlik,

Qlik Global Support

36 Comments
CJ_Bauder
Partner - Contributor III
Partner - Contributor III

Thank you Sonja!

7,994 Views
jseipel
Contributor
Contributor

@Sonja_Bauernfeind can you provide any additional detail around "Privilege escalation for authenticated/anonymous user". 

Is this a blanket issue for all authentication methods?

Is there any known way to detect the event occurring, other than unexpected mayhem in the environment?

7,870 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@CJ_Bauder Anytime!

@jseipel Allow me to forward this question to our experts.

All the best,
Sonja 

7,808 Views
hzangarini
Contributor
Contributor

Hi 

Just noticed that this issue is not described at May 2023 Patch 16 release notes.

Regards

7,679 Views
sri_c003
Partner - Creator II
Partner - Creator II

Is there any possibility to release a patch to address this for Qlik Feb 2022.

7,639 Views
sri_c003
Partner - Creator II
Partner - Creator II

@Sonja_Bauernfeind Could you please help us with the steps to reproduce the issue so we can validate both the issue and the the patch.

7,618 Views
RaviGinqo
Partner - Contributor II
Partner - Contributor II

HI @Sonja_Bauernfeind 

Thank you for Sharing this, Would you be able to share steps which can be used to identify if the system is already compromised or not? This is very important to define whether the system was already infected before patching and other steps are needed or not. Can that be shared with partners confidentially at least ?  Appreciate your help on this.

Ravi

7,560 Views
PWJ67
Contributor II
Contributor II

Hello. 

 I tried the update but it crashed. Herewith the latest line from the log file :

5/05/2024 17:03:26 - Assessing service restore states
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseServiceDispatcher
15/05/2024 17:03:26 - Restore state for Service is started: True
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseRepositoryService
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseEngineService
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseProxyService
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Assessing service restore state for QlikSensePrintingService
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseSchedulerService
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Assessing service restore state for QlikSenseRepositoryDatabase
15/05/2024 17:03:26 - Restore state for Service is started: False
15/05/2024 17:03:26 - Process id: 5896, Process name: QlikSenseServiceDispatcher
15/05/2024 17:03:26 - Process id: 0, Process name: QlikSenseRepositoryService
15/05/2024 17:03:26 - Process id: 0, Process name: QlikSenseEngineService
15/05/2024 17:03:26 - Process id: 0, Process name: QlikSenseProxyService
15/05/2024 17:03:26 - Process id: 0, Process name: QlikSensePrintingService
15/05/2024 17:03:26 - Process id: 0, Process name: QlikSenseSchedulerService
15/05/2024 17:03:26 - Stopping Service: QlikSenseServiceDispatcher.
15/05/2024 17:03:27 - QlikSenseServiceDispatcher was stopped
15/05/2024 17:03:27 - Dry run uninstall
15/05/2024 17:03:33 - Error! Validation of: C:\Program Files\Qlik\Sense\\Engine\Engine.exe failed: Le processus ne peut pas accéder au fichier 'C:\Program Files\Qlik\Sense\Engine\Engine.exe', car il est en cours d'utilisation par un autre processus.
15/05/2024 17:03:33 - Checking if file C:\Program Files\Qlik\Sense\\Engine\Engine.exe is locked...
15/05/2024 17:03:33 - Dry run uninstall done
15/05/2024 17:03:33 - Update failed
15/05/2024 17:03:33 - One or more of the files affected by the patch could not be changed. The following application(s) may be locking the files: Engine.
15/05/2024 17:03:33 - Exit code: -1

============================

When I try the update again I have the popup 

"It is not possible to upgrade a rim node using Synchronized persistence. Please uninstall the existing version before installing this package."

 

Seems that I will have to uninstall/reinstall ... is there an other choice ?

 

 

7,447 Views
jeremyseipel
Partner - Contributor III
Partner - Contributor III

@PWJ67 What version were you upgrading from and what version where you going to?  Were you installing just a patch, or a full version upgrade?

7,337 Views
PWJ67
Contributor II
Contributor II

Hi @jeremyseipel 

The version given by Windows was 14.139.4. It was August 2023 + August Patch 14

I've just successed to resolde my problem. 

If someone has the same problem, here you have what I've did :

  1. The patch could not be removed with windows control panel (old version of "Programs and Features"), so I've removed the folder after saving it as explain here : https://community.qlik.com/t5/Official-Support-Articles/Unable-to-uninstall-Qlik-Sense-Patches/ta-p/... 
  2. Reboot computer
  3. After reboot, the Qlik Repair option could be launched and succeeded (using Windows "new" version of "Programs and Features")
  4. Reboot again after Repair
  5. Uninstall Qlik Sense (without activating the check boxes. If you do so, you will erase your work)
  6. Reboot
  7. Install the Mai 2024 complete installation ==> option "connect to a cluster"
  8. Qlik is then Ok and I've lost nothing (apps, config, connexion)

 

6,940 Views