Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
Sonja_Bauernfeind
Digital Support
Digital Support

Edited August 30th, 15:55 CET: Added clarification on older Qlik Sense Enterprise on Windows versions
Edited August 31st, 13:10 CET: Added clarification on possible workarounds (none exist) as well as information regarding what authentication methods (all) are affected and that HTTP and HTTPS are impacted
Edited November 21st, 8:40 CET: Added clarification to apply the latest patches

Hello Qlik Users,

Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. Details can be found in Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265).

This announcement from August 2023 and the mentioned releases only cover CVE-2023-41266 and CVE-2023-41265. Apply the most recent patches as documented in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) (September 2023), which resolve CVE-2023-48365 as well.

Today, we have released five service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • May 2023 Patch 3
  • February 2023 Patch 7
  • November 2022 Patch 10
  • August 2022 Patch 12

All prior versions of Qlik Sense Enterprise on Windows are affected, including releases such as May 2022, February 2022, and earlier. While no patches are currently listed for these versions, Qlik is actively investigating the possibility of patching older releases. 

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. August 2023 IR released today already contains the fix

  • August 2023 Initial Release
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265) are disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

61 Comments
RajaDumpa
Contributor III
Contributor III

@Sonja_Bauernfeind : Thank you for the insight. Our security server scan tools are still listing the Qlik servers as vulnerable. Are there any other technical details from the installed version that we can present to Security teams to show that HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows has been addressed. 

1,346 Views
Olivier_Pierret
Contributor
Contributor

Bonjour, 

nous travaillons sur la version mai 2023 patch 6.
Devons-nous installer cette mise à jour ?

D'avance, je vous remercie.

Olivier

1,302 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @RajaDumpa 

This vulnerability is addressed by the respective patches. The vulnerability will no longer affect your server. Provide your customer with the security bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365), as it lists everything they need to know.

If your security scan shows vulnerabilities regardless, please follow Qlik Security Vulnerability Policy to report it.

@Olivier_Pierret The patches listed in Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) fix CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365. May 2023 Patch 6 is the patch you are already on, so you are covered for all three vulnerabilities. 

Automated translation: Les correctifs répertoriés dans Correctifs de sécurité critiques pour Qlik Sense Enterprise pour Windows (CVE-2023-48365) corrigent CVE-2023-41266, CVE-2023-41265 et CVE-2023-48365. Le patch 6 de mai 2023 est le patch que vous utilisez déjà, vous êtes donc couvert pour les trois vulnérabilités.

All the best,
Sonja 

 

 

1,263 Views
andresalcocer
Contributor
Contributor

Hi,

Please!. Do u know if this vulnerabilities (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365) affect to 

Qlik Sense Desktop V.13.21.1

Qlik View x64 V11.20.13607.0

Qlik View x86 V11.20.11643.0

and

Qlik View Server V 12.20.20700.0?

 

i can't get more information about it.

1,094 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @andresalcocer 

As mentioned in the blog post:

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

As for Qlik Sense Desktop, please allow me some time to look into that for you.

All the best,
Sonja 

1,064 Views
andresalcocer
Contributor
Contributor

hello @Sonja_Bauernfeind 

 

Do u have already the information about my question ?

 

Do u know if this vulnerabilities (CVE-2023-41266, CVE-2023-41265, CVE-2023-48365) affect to Qlik Sense Desktop V.13.21.1 ?

0 Likes
988 Views
JacovCohenQ
Partner - Contributor II
Partner - Contributor II

Urgent: 

Hi,

Security Vulnerability Assessment for PostgreSQL (CVE-2024-7348).

Could you please check if we are vulnerable to the PostgreSQL issue detailed in the links below? If we are, kindly provide the necessary actions we need to take and specify which servers are affected. Qlik Sense in using 14.8 by installation, and the fix is in version 14.13.

  • PostgreSQL Security Advisory
  • EnterpriseDB Security Assessment

Thank you for your prompt attention to this matter.

Best regards,

Jacov @eyalnir_qlik 

721 Views
AlexOmetis
Partner Ambassador
Partner Ambassador

@JacovCohenQ - I think the advice would generally be to decouple your Postgres install from your Qlik Sense one - especially if you are needing to keep up with the latest Postgres security patches. Qlik do bundle the installer and also provide a separate Qlik Postgres installer, but for full control & the latest updates you're going to get a better result from managing it separately (just make sure it's a supported version). 

Obviously Qlik should upgrade the version of Postgres in use - although they're most likely to do that in a major release rather than security patch due to the potential complexities involved.

Installing or upgrading PostgreSQL using the Qlik PostgreSQL Installer | Qlik Sense for administrato...

System requirements for Qlik Sense Enterprise | Qlik Sense for administrators Help

582 Views
eyalnir_qlik
Partner - Creator
Partner - Creator

Hi @AlexOmetis 

Thanks for your feedback, 

As you mention above "Qlik do bundle the installer and also provide a separate Qlik Postgres installer".

we expect to get QPI for this update (14.13), rather than to update all our customer's Postgres manually (1000+), furthermore, upgrade those Postgres may lead to unsupported environment, regarding to Qlik documents.

Please advise how we can proceed ?

Note that we've some concerned customers who expecting to get quick resolution for - Security Vulnerability Assessment for PostgreSQL (CVE-2024-7348).

Best regards,

Eyal 

@Sonja_Bauernfeind @JacovCohenQ @Albert_Candelario @rotmangadi 

 

387 Views
AlexOmetis
Partner Ambassador
Partner Ambassador

Yes, hopefully Qlik will update QPI - keep an eye on Release Notes Qlik Sense PostgreSQL installer vers... - Qlik Community - 2078236 for that I imagine. 

Managing it fully outside Qlik's installers will always give more control but also always include more work. Even QPI can require some manual steps as it has some unsupported setups (non-default install locations) - but at least it supports silent install now.

As for compatibility with Qlik Sense, as long as you stay on 14.x not going to later versions, this is listed as supported. 

333 Views