Qlik Sense Enterprise for Windows - New Security P... - Page 10 - Qlik Community

Sonja_Bauernfeind · ‎2024-12-04

Edited December 5th: identified upgrades leading to complications with extensions
Edited December 6th: added workaround for extension complication
Edited December 10th: added CVEs (CVE-2024-55579 and CVE-2024-55580)
Edited December 12th, noon CET: added new patch versions and visualization and extension fix details; previous patches were removed from the download site

Hello Qlik Users,

New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.

If you continue to experience issues with extensions or visualizations, see QB-30633: Visualizations and Extensions not loading after applying patch.

Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558....

Today, we have released six service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

May 2024 Patch 9
February 2024 Patch 13
November 2023 Patch 15
August 2023 Patch 15
May 2023 Patch 17
February 2023 Patch 14

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. November 2024 IR, released on the 26th of November, contains the fix as well.

November 2024 Initial Release
May 2024 Patch 10 or 11 (both valid)
February 2024 Patch 14 or 15 (both valid)
November 2023 Patch 16 or 17 (both valid)
August 2023 Patch 16 or 17 (both valid)
May 2023 Patch 18 or 19 (both valid)
February 2023 Patch 15 or 16 (both valid)

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558... are disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Thank you for choosing Qlik,
Qlik Global Support

LDR · ‎2024-12-17

@Sonja_Bauernfeind I think that me, like many of us, need to know what @jeremyseipel is asking you. Is Patch 11 the one that fixes any visualization bug and CVE issues? or should we wait for Patch 12?

To fix security vulnerabilities for sure is important however, to fix something and break some other things doesn't look the good way.

PS: I'm not saying that your work is easy, not at all but, we need to be sure that the latest Patch is not going to open a new can of worms.

Sonja_Bauernfeind · ‎2024-12-17

Hello @LDR and @jeremyseipel

This was already done.

New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.

Example: May Patch 11.

Any other issues reported (which are not related to extensions) have not been linked to the patches directly and must be investigated by Support separately.

jeremyseipel · ‎2024-12-17

Thanks @Sonja_Bauernfeind thanks for the update. Based on what you posted, my take is there will be no additional patches released for this vulnerability, so the best course of action is to proceed follow standard patching procedures and start updating environments one at a time.

LDR · ‎2024-12-17

@Sonja_Bauernfeind many thanks for confirming us it

tvolkmerwolf · ‎2024-12-17

Is there any accessible solution for the problems regarding the SAP Connector, as described by @prinzchristian and @martingries ?

Many thanks in advance!

Sonja_Bauernfeind · ‎2024-12-17

Hello @steeefan and @mscagliusi

If you are still experiencing issues, please log a case with Qlik Support to help us track and investigate this.

All the best,
Sonja

prinzchristian · ‎2024-12-17

Hi @tvolkmerwolf

there is no solution yet with the latest version, but also not with the latest patches - the support case is still open and I am constantly providing new information to the support team.

I will let you know as soon as there is an update.

tvolkmerwolf · ‎2024-12-17

Hi @prinzchristian , many thanks for your update and your offer to keep me posted!

Best wishes.

TcnCunha_M · ‎2024-12-18

hello @Sonja_Bauernfeind does Qlik is aware of this feb 2024 path 15 mess up with mashup, we have security rules for developers and we need to re-create again ?
2 issue on 2 paths in a row, what going on, seriously
00337598: Security Rules not working after patching: Issue with Extension Access

Sonja_Bauernfeind · ‎2024-12-18

Hello @TcnCunha_M

Please continue to work with your assigned support engineer on the ticket. I have forwarded your message to the relevant team though.

All the best,
Sonja

Qlik Sense Enterprise for Windows - New Security Patches Available Now