Qlik Sense Enterprise for Windows - New Security P... - Page 12 - Qlik Community

Sonja_Bauernfeind · ‎2024-12-04

Edited December 5th: identified upgrades leading to complications with extensions
Edited December 6th: added workaround for extension complication
Edited December 10th: added CVEs (CVE-2024-55579 and CVE-2024-55580)
Edited December 12th, noon CET: added new patch versions and visualization and extension fix details; previous patches were removed from the download site

Hello Qlik Users,

New patches have been made available and have replaced the original six releases. They include the original security fixes (CVE-2024-55579 and CVE-2024-55580) as well as QB-30633 to resolve the extension and visualization defect.

If you continue to experience issues with extensions or visualizations, see QB-30633: Visualizations and Extensions not loading after applying patch.

Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. Details can be found in Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558....

Today, we have released six service releases across the latest versions of Qlik Sense to patch the reported issue. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

May 2024 Patch 9
February 2024 Patch 13
November 2023 Patch 15
August 2023 Patch 15
May 2023 Patch 17
February 2023 Patch 14

No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. November 2024 IR, released on the 26th of November, contains the fix as well.

November 2024 Initial Release
May 2024 Patch 10 or 11 (both valid)
February 2024 Patch 14 or 15 (both valid)
November 2023 Patch 16 or 17 (both valid)
August 2023 Patch 16 or 17 (both valid)
May 2023 Patch 18 or 19 (both valid)
February 2023 Patch 15 or 16 (both valid)

This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

The information in this post and Security Bulletin High Severity Security fixes for Qlik Sense Enterprise for Windows (CVE-2024-55579 and CVE-2024-5558... are disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Thank you for choosing Qlik,
Qlik Global Support

Sonja_Bauernfeind · ‎2025-01-08

Hello @QFabian

This only applies to the old versions of the patches, which can no longer be downloaded. The current versions are not affected by this issue.

But here is the workaround we used:

Stop the Qlik Sense Repository service
Open the file C:\Program Files\Qlik\Sense\Repository\Repository.exe.config
Go to the section <appSettings>
Add the key VisualizationExtensionsExtractFilter as the last key in the <appSettings> section:

<add key="VisualizationExtensionsExtractFilter" value="md|css|js|json|pdf|png|qext|txt|html|htm|gif|jpg|jpeg|wbl|otf|ttf|woff|woff2|eot|svg|bmp|mp3|jp2"/>
Save the file
Restart the Qlik Sense Services

all the best,
Sonja

QFabian · ‎2025-01-09

Thanks @Sonja_Bauernfeind

fmarvnnt · ‎2025-01-10

We installed the May 2024 Patch 11 Qlik Sense at one of our customers and we found problems (Apps that do not open and show a blank page) in opening Qlik Apps from iPad (via Qlik Sense App - not via browser) Have any of you encountered the same problem and how did you fix it?

FMa

eyalnir_qlik · ‎2025-01-12

Hello @fmarvnnt

This is a bug which reported. the bug ID is QB-30710

As a workaround, make the below changes in the file.

Locate the file \Qlik\Sense\CapabilityService\capabilities.json

Edit it, and search for "import-map-override_stardust_5-0-0"

{
"contentHash": "9fdb92ba880acb152ce2f99f61deeeff",
"originalClassName": "FeatureToggle",
"flag": "import-map-override_stardust_5-0-0",
"enabled": true
},

In this block, change the "enabled" to false.

Jaeger · ‎2025-01-13

Hello,
we installed February 2024 Patch 14 and have the problem that users with AnalyzerCapacity license can't connect from iPad. If we change the users to Analyzer license then it works from iPad. From Windows via browser it's working in both cases.
I'm not sure if it worked with Patch 13 or before.

janyf · ‎2025-01-14

Fix mentioned above in comments (stardust) helped some users from one of our customers even on desktops.
They have white screen instead of app, when there was error with 2 .js files (visible in developer tools). Version of Qlik was may24 p9 , bug appears after upgrading to p11 , but when they revert it stays.
After applying fix , problems dissapears.
@Sonja_Bauernfeind could qlik provide description of bug QB-30710 ?

Sonja_Bauernfeind · ‎2025-01-14

Hello @janyf

Let me reach out to our experts.

All the best,
Sonja

TcnCunha_M · ‎2025-01-17

Hello @Sonja_Bauernfeind i need a real clarification with Qlik

This is connect with security rules : https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes-for-Qlik-Sense-Enterpris....
Like i not able to have And conditional inside of security rule?

Sonja_Bauernfeind · ‎2025-01-17

Hello @TcnCunha_M

I do not understand your question. Can you clarify what you mean?

Do you mean you have Security Rules issues after applying these patches? If so, please create a support ticket to have this investigated.

All the best,
Sonja

TcnCunha_M · ‎2025-01-17

Hi @Sonja_Bauernfeind

Let me elaborate a little bit better :
This change, somehow it will impact on the security rules? Should change the behavior of security rules on Qlik Sense Side?

Qlik Sense Enterprise for Windows - New Security Patches Available Now