Skip to main content
Announcements
Save $600 on Qlik Connect registration! Sign up by Dec. 6 to get an extra $100 off with code CYBERSAVE: REGISTER
Sonja_Bauernfeind
Digital Support
Digital Support

Edited 20th of May 2024: Added recently assigned CVE number.
Edited 22nd of May 2024: Added to the Frequently Asked Questions.

 

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • February 2024 Patch 3 
  • November 2023 Patch 8 
  • August 2023 Patch 13 
  • May 2023 Patch 15 
  • February 2023 Patch 13 
  • November 2022 Patch 13 
  • August 2022 Patch 16 
  • May 2022 Patch 17

 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. May 2024 IR, released on the 14th of May, contains the fix as well

  • May 2024 Initial Release 
  • February 2024 Patch 4 
  • November 2023 Patch 9 
  • August 2023 Patch 14 
  • May 2023 Patch 16 
  • February 2023 Patch 14 
  • November 2022 Patch 14 
  • August 2022 Patch 17 
  • May 2022 Patch 18 
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-36077) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Frequently Asked Questions

Q: What steps can be used to reproduce the vulnerability?
A: Qlik will not be providing steps on how to reproduce this test case.

Q: What authentication method is affected?
A: Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

Q: Will Qlik Sense February 2022 or earlier be patched?
A: See the Qlik Sense Enterprise on Windows Product Lifecycle (link) for information on what versions of Qlik Sense have reached End of Service (EOS). Versions which have reached EOS will not receive patches and Qlik strongly recommends moving to an up to date release.

 

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

 

Thank you for choosing Qlik,

Qlik Global Support

36 Comments
David_Friend
Support
Support

@Valstar instead of commenting on a post in the support blog, it would be best to start a new post over in the QlikSense forums: https://community.qlik.com/t5/Deployment-Management/bd-p/qlik-sense-deployment

1,526 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@jseipel @sri_c003 @RaviGinqo @aadil_madarveet Regarding the authentication methods used and information on how to verify/reproduce this case: 

Qlik will not be providing steps on how to reproduce this test case. Qlik strongly recommends moving to a patched version as per the bulletin, regardless of the authentication method used.

@sri_c003 Qlik February 2022 has reached the end of support. I have reached out for details though.

All the best,
Sonja

1,466 Views
karthikbhi
Partner - Contributor II
Partner - Contributor II

Is the CVE number assigned for this yet ?

1,424 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@karthikbhi Not yet! I will update the bulletin and blog as soon as we have one.

All the best,
Sonja 

1,391 Views
sri_c003
Partner - Creator II
Partner - Creator II

@Sonja_Bauernfeind I understand Feb 2022 is out of support, and that is okay.

The effort to patch all our deployments (in 100s) is a huge time consuming effort. Hence the request on authentication methods that are impacted and any guideline on testing to see if this impacts us.

1,361 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello, @karthikbhi A CVE was assigned and I have updated the bulletin and blog post.

Hello, @sri_c003 Qlik highly recommends upgrading regardless of the authentication method used. If you need a more direct dialogue with someone at Qlik regarding this, please reach out to your Partner Manager.

All the best,
Sonja 

1,257 Views
Thushar_Balusu
Contributor
Contributor

        

1,156 Views
dusingh-c
Contributor II
Contributor II

Hi @Sonja_Bauernfeind,
Thank you for sharing the update, we have upgraded our Qlik Sense Enterprise on Windows to August 2023 Patch 14 from Patch 5 in accordance with the recommendation but post patching business users have reported that one of the descriptive field value is getting truncated to 255 character only. This is observed in a Databricks Data source connection created using Qlik Databricks QvODBCConnectorPackage. Same is not observed we create the Data connection using ODBC DSN (creating a DSN on server using Simba Spark ODBC driver and create a ODBC connection in Qlik using that System DSN). Please advise

Thanks & Regards,
Durgesh Singh

0 Likes
904 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@dusingh-c Rather than commenting with an upgrade challenge in the support blog, please post about the issue you are facing in the correct forum. In this case, you'd want the Data Connectivity and Prep forum. 

All the best,
Sonja

0 Likes
870 Views
jeremyseipel
Partner - Contributor III
Partner - Contributor III

@Sonja_Bauernfeind  it does help myself and others hearing about the problems people are facing with specific versions of qlik, especially when it's a required/forced upgrade. 

 

I think the actual troubleshooting effort should occur outside of this thread to keep it on track and focused on vulnerability-related questions, but I find comments like theirs valuable.  Now I just need to know if they experience the same when they upgrade their other environment since that would give me a better idea if it's a one-off issue or something we can expect from other clients since it can be replicated.

833 Views