Qlik Sense Enterprise for Windows - New Security P... - Page 3 - Qlik Community

Sonja_Bauernfeind · ‎2024-05-15

Edited 20th of May 2024: Added recently assigned CVE number.
Edited 22nd of May 2024: Added to the Frequently Asked Questions.

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

February 2024 Patch 3
November 2023 Patch 8
August 2023 Patch 13
May 2023 Patch 15
February 2023 Patch 13
November 2022 Patch 13
August 2022 Patch 16
May 2022 Patch 17

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. May 2024 IR, released on the 14th of May, contains the fix as well.

May 2024 Initial Release
February 2024 Patch 4
November 2023 Patch 9
August 2023 Patch 14
May 2023 Patch 16
February 2023 Patch 14
November 2022 Patch 14
August 2022 Patch 17
May 2022 Patch 18

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077) are disclosed in accordance with our published Security and Vulnerability Policy.

Frequently Asked Questions

Q: What steps can be used to reproduce the vulnerability?
A: Qlik will not be providing steps on how to reproduce this test case.

Q: What authentication method is affected?
A: Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

Q: Will Qlik Sense February 2022 or earlier be patched?
A: See the Qlik Sense Enterprise on Windows Product Lifecycle (link) for information on what versions of Qlik Sense have reached End of Service (EOS). Versions which have reached EOS will not receive patches and Qlik strongly recommends moving to an up to date release.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Thank you for choosing Qlik,

Qlik Global Support

David_Friend · ‎2024-05-17

@Valstar instead of commenting on a post in the support blog, it would be best to start a new post over in the QlikSense forums: https://community.qlik.com/t5/Deployment-Management/bd-p/qlik-sense-deployment

Sonja_Bauernfeind · ‎2024-05-17

@jseipel @sri_c003 @RaviGinqo @aadil_madarveet Regarding the authentication methods used and information on how to verify/reproduce this case:

Qlik will not be providing steps on how to reproduce this test case. Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

@sri_c003 Qlik February 2022 has reached the end of support. I have reached out for details though.

All the best,
Sonja

karthikbhi · ‎2024-05-17

Is the CVE number assigned for this yet ?

Sonja_Bauernfeind · ‎2024-05-17

@karthikbhi Not yet! I will update the bulletin and blog as soon as we have one.

All the best,
Sonja

sri_c003 · ‎2024-05-17

@Sonja_Bauernfeind I understand Feb 2022 is out of support, and that is okay.

The effort to patch all our deployments (in 100s) is a huge time consuming effort. Hence the request on authentication methods that are impacted and any guideline on testing to see if this impacts us.

Sonja_Bauernfeind · ‎2024-05-20

Hello, @karthikbhi A CVE was assigned and I have updated the bulletin and blog post.

Hello, @sri_c003 Qlik highly recommends upgrading regardless of the authentication method used. If you need a more direct dialogue with someone at Qlik regarding this, please reach out to your Partner Manager.

All the best,
Sonja

Thushar_Balusu · ‎2024-05-20

dusingh-c · ‎2024-05-23

Hi @Sonja_Bauernfeind,
Thank you for sharing the update, we have upgraded our Qlik Sense Enterprise on Windows to August 2023 Patch 14 from Patch 5 in accordance with the recommendation but post patching business users have reported that one of the descriptive field value is getting truncated to 255 character only. This is observed in a Databricks Data source connection created using Qlik Databricks QvODBCConnectorPackage. Same is not observed we create the Data connection using ODBC DSN (creating a DSN on server using Simba Spark ODBC driver and create a ODBC connection in Qlik using that System DSN). Please advise

Thanks & Regards,
Durgesh Singh

Sonja_Bauernfeind · ‎2024-05-23

@dusingh-c Rather than commenting with an upgrade challenge in the support blog, please post about the issue you are facing in the correct forum. In this case, you'd want the Data Connectivity and Prep forum.

All the best,
Sonja

jeremyseipel · ‎2024-05-23

@Sonja_Bauernfeind it does help myself and others hearing about the problems people are facing with specific versions of qlik, especially when it's a required/forced upgrade.

I think the actual troubleshooting effort should occur outside of this thread to keep it on track and focused on vulnerability-related questions, but I find comments like theirs valuable. Now I just need to know if they experience the same when they upgrade their other environment since that would give me a better idea if it's a one-off issue or something we can expect from other clients since it can be replicated.

Qlik Sense Enterprise for Windows - New Security Patches Available Now

Frequently Asked Questions