Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:
February 2024 Patch 3
November 2023 Patch 8
August 2023 Patch 13
May 2023 Patch 15
February 2023 Patch 13
November 2022 Patch 13
August 2022 Patch 16
May 2022 Patch 17
No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. May 2024 IR, released on the 14th of May, contains the fix as well.
May 2024 Initial Release
February 2024 Patch 4
November 2023 Patch 9
August 2023 Patch 14
May 2023 Patch 16
February 2023 Patch 14
November 2022 Patch 14
August 2022 Patch 17
May 2022 Patch 18
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.
Q: What steps can be used to reproduce the vulnerability? A: Qlik will not be providing steps on how to reproduce this test case.
Q: What authentication method is affected? A:Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.
Q: Will Qlik Sense February 2022 or earlier be patched? A: See the Qlik Sense Enterprise on Windows Product Lifecycle (link) for information on what versions of Qlik Sense have reached End of Service (EOS). Versions which have reached EOS will not receive patches and Qlik strongly recommends moving to an up to date release.
The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.
Qlik will not be providing steps on how to reproduce this test case. Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.
@sri_c003 Qlik February 2022 has reached the end of support. I have reached out for details though.
@Sonja_Bauernfeind I understand Feb 2022 is out of support, and that is okay.
The effort to patch all our deployments (in 100s) is a huge time consuming effort. Hence the request on authentication methods that are impacted and any guideline on testing to see if this impacts us.
Hello, @karthikbhi A CVE was assigned and I have updated the bulletin and blog post.
Hello, @sri_c003 Qlik highly recommends upgrading regardless of the authentication method used. If you need a more direct dialogue with someone at Qlik regarding this, please reach out to your Partner Manager.
Hi @Sonja_Bauernfeind, Thank you for sharing the update, we have upgraded our Qlik Sense Enterprise on Windows to August 2023 Patch 14 from Patch 5 in accordance with the recommendation but post patching business users have reported that one of the descriptive field value is getting truncated to 255 character only. This is observed in a Databricks Data source connection created using Qlik Databricks QvODBCConnectorPackage. Same is not observed we create the Data connection using ODBC DSN (creating a DSN on server using Simba Spark ODBC driver and create a ODBC connection in Qlik using that System DSN). Please advise
@dusingh-cRather than commenting with an upgrade challenge in the support blog, please post about the issue you are facing in the correct forum. In this case, you'd want the Data Connectivity and Prep forum.
@Sonja_Bauernfeind it does help myself and others hearing about the problems people are facing with specific versions of qlik, especially when it's a required/forced upgrade.
I think the actual troubleshooting effort should occur outside of this thread to keep it on track and focused on vulnerability-related questions, but I find comments like theirs valuable. Now I just need to know if they experience the same when they upgrade their other environment since that would give me a better idea if it's a one-off issue or something we can expect from other clients since it can be replicated.
