Qlik Sense Enterprise for Windows - New Security P... - Qlik Community

Sonja_Bauernfeind · ‎2024-12-04

Edited December 5th: identified upgrades leading to complications with extensions
Edited December 6th: added workaround for extension complication
Edited December 10th: added CVEs (CVE-2024-55579 and CVE-2024-55580)
Edited December 12th, noon CET: added new patch versions and visualization and extension fix details; previous patches were removed from the download site

Hello Qlik Users,

New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.

If you continue to experience issues with extensions or visualizations, see QB-30633: Visualizations and Extensions not loading after applying patch.

Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558....

Today, we have released six service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

May 2024 Patch 9
February 2024 Patch 13
November 2023 Patch 15
August 2023 Patch 15
May 2023 Patch 17
February 2023 Patch 14

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. November 2024 IR, released on the 26th of November, contains the fix as well.

November 2024 Initial Release
May 2024 Patch 10 or 11 (both valid)
February 2024 Patch 14 or 15 (both valid)
November 2023 Patch 16 or 17 (both valid)
August 2023 Patch 16 or 17 (both valid)
May 2023 Patch 18 or 19 (both valid)
February 2023 Patch 15 or 16 (both valid)

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558... are disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Thank you for choosing Qlik,
Qlik Global Support

patrickbe · ‎2024-12-05

Hi,

Are environments that face the Internet (with SAML) also affected? Does that also count as network access?

Regards,
Patrick

fmarvnnt · ‎2024-12-05

Does anyone experience this severe issue after applying the Patch 10 to a May 2024 Patch 7 site?:

"

Error opening any sheet on any app. Rollback of the installed patch had been forcibly done.

"

Sonja_Bauernfeind · ‎2024-12-05

Hello @fmarvnnt I suggest posting about this in the appropriate forum (Management and Deployment) to expand your reach of this question as this blog post is primarily here to facilitate discussion around the security vulnerability. I have not yet heard any other reports of this issue.

@patrickbe I've forwarded your question, thank you!

All the best,
Sonja

Sonja_Bauernfeind · ‎2024-12-05

@patrickbe This counts as network access.

All the best,
Sonja

ajourdan1684153368 · ‎2024-12-05

Hello, after upgrade to May24 P10, we have extension disappear and impossible to import

Sonja_Bauernfeind · ‎2024-12-05

Hello, @ajourdan1684153368 and @fmarvnnt Please report issues you experience with the installations as support cases, providing as many details as possible such as what versions you are upgrading from (and to), detailed descriptions, and any supporting material such as screen captures and log files.

All the best,
Sonja

fosuzuki3 · ‎2024-12-05

I have a similar issue as @ajourdan1684153368 , I'm getting an error when trying to import newer versions of Vizlib and GeoAnalytics extensions.
"Failed to import extensions. Please check the log file." message in QMC, and "ZIP file error" message in System_Repository log.

(edit: after upgrading from May.23 to May.24.patch10)

ajourdan1684153368 · ‎2024-12-05

I opened a ticket. FYI if blocking, we deleted the patches to return to the initial version and that's good. On the Comu it is recommended to delete the patches before installing new ones. I haven't tested it yet.

fosuzuki3 · ‎2024-12-05

Uninstalling Patch10 and installing Patch9 seems to resolve the issue with importing the extensions...

Eduardo_Monteiro · ‎2024-12-05

FYI

We have the extension issue here too. We were running Feb 2024 P4 and then yesterday Patch14 was applied.

Today we noticed invalid visualization while opening some apps. We tried reinstalling extensions with no success. We can see the extensions in the folder, it's not showing on QMC.

We're reverting until we hear it's fixed.

Qlik Sense Enterprise for Windows - New Security Patches Available Now