Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Independent validation for trusted, AI-ready data integration. See why IDC named Qlik a Leader: Read the Excerpt!
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-03-20 07:58 AM

QlikView - New Security Patches Available Now

Update 21st of March 16:00 CET: published CVE number
Update 27th of March 10:45 CET: added FAQ

Hello Qlik Users,

A security issue in QlikView has been identified and patches have been made available. Details can be found in the Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863).

Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:

  • QlikView May 2023 SR1 (12.80.20100)
  • QlikView May 2022 SR2 (12.70.20200)

 

Call to Action

As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:

  • QlikView May 2023 SR2 (12.80.20200)
  • QlikView May 2022 SR3 (12.70.20300)
This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.

Additional Details


The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

Frequently Asked Questions

Q: Is the vulnerability present in the QlikView Plugin or other QlikView products? 
A: The vulnerability is related to the MSI files on disk.

Q: Will deleting the MSI files mitigate the issue?
A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.

17,990 Views
44 Comments
to759_PM
Contributor II
Contributor II
‎2024-03-20 08:06 AM

@Sonja_Bauernfeind 

Impacted version number and fixed version numer are the same.

"All versions of QlikView prior to and including the releases below are impacted"

5,289 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-03-20 08:12 AM

Hello @to759_PM That should already be resolved, thank you!

5,244 Views
AlexOmetis
Partner Ambassador
Partner Ambassador
‎2024-03-20 08:17 AM

Hi,

Can you confirm that this is only an issue when running an install or upgrade rather than an ongoing issue in an already-installed environment? Or is there a component of the installer that can be leveraged (perhaps via uninstaller) to expose this? 

Thanks

5,185 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-03-20 08:37 AM

Hello @AlexOmetis 

Let me get clarity on this for you.

All the best,
Sonja 

5,109 Views
AlexOmetis
Partner Ambassador
Partner Ambassador
‎2024-03-20 08:40 AM

Looking at the Release Notes which lists the bug, it seems it's to do with leaving MSI files on disk that would be accessible to non-admins... which I guess means it affects existing installs too. Although this doesn't sound like a "race condition" as described in the security bulletin.

QV-25114

Local Privilege Escalation

Installers sometimes left .msi files on Local disc, which could result in a security problem. This is now fixed, so that administrator rights are needed to access them.
5,097 Views
AlexOmetis
Partner Ambassador
Partner Ambassador
‎2024-03-20 09:13 AM

Also clarity on whether it affects QlikView Server AND QlikView Desktop or just one or the other would be useful.

4,954 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-03-21 10:09 AM

Hello @AlexOmetis 

We're actively looking into your questions. The internal ID for the investigation is QB-25717.

All the best,
Sonja 

4,443 Views
sis
Partner - Specialist II
Partner - Specialist II
‎2024-03-21 11:52 PM

@Sonja_Bauernfeind 

What kind of events can be caused by being able to run with administrator privileges?
For example, is it possible for the system to be stopped or destroyed without permission?

Thanks.

4,308 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2024-03-22 03:40 AM

@sis Adding your question to our investigation.

4,213 Views
xudo
Contributor II
Contributor II
‎2024-03-22 06:50 AM

In the email of our Qlik partner is stated "If successfully exploited, a user with existing access to the Windows environment running QlikView or the QlikView plugin may be able to escalate their privileges to that of administrator."

What is meant here with "QlikView plugin"? Is there a vulnerability related to this plugin?

4,109 Views
Subscribe by Topic