Qlik Sense Enterprise for Windows - New Security P... - Page 11 - Qlik Community

Sonja_Bauernfeind · ‎2024-12-04

Edited December 5th: identified upgrades leading to complications with extensions
Edited December 6th: added workaround for extension complication
Edited December 10th: added CVEs (CVE-2024-55579 and CVE-2024-55580)
Edited December 12th, noon CET: added new patch versions and visualization and extension fix details; previous patches were removed from the download site

Hello Qlik Users,

New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.

If you continue to experience issues with extensions or visualizations, see QB-30633: Visualizations and Extensions not loading after applying patch.

Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558....

Today, we have released six service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

May 2024 Patch 9
February 2024 Patch 13
November 2023 Patch 15
August 2023 Patch 15
May 2023 Patch 17
February 2023 Patch 14

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. November 2024 IR, released on the 26th of November, contains the fix as well.

November 2024 Initial Release
May 2024 Patch 10 or 11 (both valid)
February 2024 Patch 14 or 15 (both valid)
November 2023 Patch 16 or 17 (both valid)
August 2023 Patch 16 or 17 (both valid)
May 2023 Patch 18 or 19 (both valid)
February 2023 Patch 15 or 16 (both valid)

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558... are disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Thank you for choosing Qlik,
Qlik Global Support

AlexOmetis · ‎2024-12-19

@tvolkmerwolf / @prinzchristian - I see SAP Connectors 8.1.0 just got released... no release notes yet but perhaps they've resolved any incompatibility there? 🤞 I'm holding off some upgrades until we get confirmation that's fixed.

sri_c003 · ‎2024-12-19

Feb 2024 - P14

This patch with workaround are working fine for both extensions and security rules. I see from above comments that this patch have been withdrawn when it is working as expected with the workaround. Can we get it back.

eyalnir_qlik · ‎2024-12-23

I'm also having the same problems regarding the SAP Connector, as described by @prinzchristian and @martingries , waiting in anticipation for your update, also if @AlexOmetis suggestion for upgrade to 8.1 resolved the issue.

Martin_Dickau · ‎2025-01-02

Hi everyone, is there a response of someone that tested 8.1.0 of SAP Netweaver with the latest patch of Qlik Sense?
Or did someone tested at least to uninstall the patches and see if the SAP Connector is working again? That would narrow it down to the patches.

@prinzchristian @martingries

@AlexOmetis here are the release Notes: https://community.qlik.com/t5/Release-Notes/Qlik-SAP-NetWeaver-Connector-Release-Notes-v8-1-0/ta-p/2...

prinzchristian · ‎2025-01-06

HI @Martin_Dickau ,

I haven't done the tests with the latest SAP update yet, but I can confirm the second one - after uninstalling to an older version, everything works as usual again.

Unfortunately, my case with Qlik is still being processed - I'll keep you up to date here.

Martin_Dickau · ‎2025-01-07

Hi everyone,

Edit by Qlik:

The recommended configuration change previously posted in this reply reverts recent security improvements made to the product and could lead to users being able to execute unintended code on the server. Contact Qlik Support for assistance with your SAP connector.

@prinzchristian @martingries @AlexOmetis

AlexOmetis · ‎2025-01-08

@Martin_Dickau Really appreciate you sharing. Maybe @Sonja_Bauernfeind can see if that should be put into a KB article to make it more visible as a solution? We'll be doing an upgrade for an SAP + Qlik customer in the coming weeks and will keep this in our back pocket in case of issues!

prinzchristian · ‎2025-01-08

@Martin_Dickau - Many thanks! 🙂

Perfect, I’ll test this with my customer tomorrow and get back here to confirm if everything works.

Sonja_Bauernfeind · ‎2025-01-08

Hello @AlexOmetis

I'm seeing if we have something in the pipeline for this.

All the best,
Sonja

QFabian · ‎2025-01-08

Somewhere i read that if after upgrade QlikSense Enterprise you lose your extensions, you have to apply a workaround, please someone have it?

Qlik Sense Enterprise for Windows - New Security Patches Available Now