Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Maximize ROI with Qlik Professional Services – Expert Guidance, Faster Results: Explore Qlik Services
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-05-15 05:14 AM

Qlik Sense Enterprise for Windows - New Security Patches Available Now

Edited 20th of May 2024: Added recently assigned CVE number.
Edited 22nd of May 2024: Added to the Frequently Asked Questions.

 

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • February 2024 Patch 3 
  • November 2023 Patch 8 
  • August 2023 Patch 13 
  • May 2023 Patch 15 
  • February 2023 Patch 13 
  • November 2022 Patch 13 
  • August 2022 Patch 16 
  • May 2022 Patch 17

 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. May 2024 IR, released on the 14th of May, contains the fix as well

  • May 2024 Initial Release 
  • February 2024 Patch 4 
  • November 2023 Patch 9 
  • August 2023 Patch 14 
  • May 2023 Patch 16 
  • February 2023 Patch 14 
  • November 2022 Patch 14 
  • August 2022 Patch 17 
  • May 2022 Patch 18 
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Frequently Asked Questions

Q: What steps can be used to reproduce the vulnerability?
A: Qlik will not be providing steps on how to reproduce this test case.

Q: What authentication method is affected?
A: Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

Q: Will Qlik Sense February 2022 or earlier be patched?
A: See the Qlik Sense Enterprise on Windows Product Lifecycle (link) for information on what versions of Qlik Sense have reached End of Service (EOS). Versions which have reached EOS will not receive patches and Qlik strongly recommends moving to an up to date release.

 

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

 

Thank you for choosing Qlik,

Qlik Global Support

22,646 Views
38 Comments
Olivier_Pierret
Contributor II
Contributor II
‎2024-05-16 03:50 AM

Bonjour @Sonja_Bauernfeind 

nous travaillons sur la version mai 2023 patch 6.
Devons-nous installer cette mise à jour ?

D'avance, je vous remercie.

Olivier

2,604 Views
karthiksrqv
Partner - Creator II
Partner - Creator II
‎2024-05-16 11:24 AM

Hi @Sonja_Bauernfeind ,

Please let us know when we can expect steps to reproduce and check if our instances are compromised.

 

2,501 Views
aadil_madarveet
Partner - Creator II
Partner - Creator II
‎2024-05-16 11:35 AM

Can you please outline the below.

1. Which authentication methods are impacted?

2. How can we reproduce this issue?

2,472 Views
Senor_Dai
Partner - Creator II
Partner - Creator II
‎2024-05-16 11:40 AM

Hi @Sonja_Bauernfeind ,

 

We are running QlikSense November 2023 (14.159.4) Patch 9 - are we ok with this version?

 

Many thanks

2,457 Views
David_Friend
Support
Support
‎2024-05-16 11:43 AM

@Senor_Dai yes that patch is listed as being OK

2,438 Views
Senor_Dai
Partner - Creator II
Partner - Creator II
‎2024-05-16 11:46 AM

Thanks so much @David_Friend !

2,419 Views
Senor_Dai
Partner - Creator II
Partner - Creator II
‎2024-05-16 11:56 AM

HI again @David_Friend one of our installations is running Aug 22 Initial Release... We are going to bring it upto May 24 after some incremental testing as there are some complexities in the applictation.  Whats the earliest version/patch we can upgrade to to alleviate any risks?

Thanks again

 

Dai

 

 

Edit - have just read that Aug 22 patch 17 is listed as a fix 

2,374 Views
cobble2
Contributor
Contributor
‎2024-05-16 12:17 PM

Is November 2023 patch 2 considered safe?

2,283 Views
Jack_Guo
Support
Support
‎2024-05-16 07:40 PM

Hi @cobble2  as mentioned in this post, please update to November 2023 Patch 9

2,194 Views
Valstar
Contributor II
Contributor II
‎2024-05-17 06:51 AM

I'm having a big issue, please help. I'm doing the update from AUG 2023 patch 4 to AUG 2023 patch 14 (which contains the security fix).

Result: HUB/QMC still working, but embedded iframes through JWT doesnt work anymore.

After uninstalling the new patch (14), and re-installing my old patch (4), it is working again.

Please advise how can I do the security update without breaking the above

2,085 Views
Subscribe by Topic