Skip to main content
Announcements
Qlik Introduces a New Era of Visualization! READ ALL ABOUT IT
Sonja_Bauernfeind
Digital Support
Digital Support

Update 21st of March 16:00 CET: published CVE number
Update 27th of March 10:45 CET: added FAQ

Hello Qlik Users,

A security issue in QlikView has been identified and patches have been made available. Details can be found in the Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863).

Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:

  • QlikView May 2023 SR1 (12.80.20100)
  • QlikView May 2022 SR2 (12.70.20200)

 

Call to Action

As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:

  • QlikView May 2023 SR2 (12.80.20200)
  • QlikView May 2022 SR3 (12.70.20300)
This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.

Additional Details


The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

Frequently Asked Questions

Q: Is the vulnerability present in the QlikView Plugin or other QlikView products? 
A: The vulnerability is related to the MSI files on disk.

Q: Will deleting the MSI files mitigate the issue?
A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.

44 Comments
jeremyseipel
Partner - Contributor III
Partner - Contributor III

@Sonja_Bauernfeind can you share the location of the files that are being cleanup up by the patch?  I have searched through a few QV installs and so far haven't found any MSI files in the Qlik folders in program data or program files.  The only executable type files I have come across is .exe's.

1,851 Views
Suraj_Maraje
Partner - Contributor III
Partner - Contributor III

@jeremyseipel  

The .msi may be located in either:

C:\Users\<USER>\AppData\Local\Temp\{GUID}

C:\Users\ <User> \AppData\Local\QlikTech Installations\{GUID}​

 

@Sonja_Bauernfeind  What if we removed all .msi files from these location? Do we still need to upgrade to versions that contain the fix?

 

1,823 Views
jeremyseipel
Partner - Contributor III
Partner - Contributor III

@Suraj_Maraje you are thinking the exact same thing I was.  For environments where you cannot easily get the downtime or if there is a case where a version of QlikView is older than the patches released, removing the files or locking down the folders would a work around.

1,800 Views
Qlik1983
Contributor II
Contributor II

@Sonja_Bauernfeind ......Any updates to the above messages? Is it just related to the MSI files?

1,504 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Qlik1983 

We are still gathering and verifying the answers to give you the clearest possible response. I expect to have them for you today.

All the best,
Sonja 

1,433 Views
mbrade
Contributor
Contributor

any news ? 

1,270 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @xudo 

The vulnerability is related to the MSI files.

@jeremyseipel @Suraj_Maraje @Qlik1983 @mbrade 

Regarding the question of Will deleting the MSI files mitigate the issue:

Qlik does not consider removing the MSI files a complete workaround as a user of the server could restore them. 

As for the remaining questions, I am aiming to have them answered as soon as possible and will be updating the blog post with an FAQ accordingly. 

All the best,
Sonja 

1,189 Views
AlexOmetis
Partner Ambassador
Partner Ambassador

@Sonja_Bauernfeind - thanks for the updates. However the answer regarding which products doesn't make much sense to me. MSI files are the installer files that are unpacked as part of the installation - they only come as part of a product install. Are you saying the MSI files for all QlikView installers were insecurely stored and that they could be used to elevate privilege for any of those installers?

It makes a big difference if we need to upgrade just QlikView Server or QlikView Desktop & Plugin as well to mitigate this issue. Also given that it's a local, not remote, vulnerability, the risk profile is very different for a server or a client as the server is less likely to have unprivileged users logging in that could abuse this vulnerability. 

I get that upgrading all of them is the ideal solution, but more information on which installers, how the vulnerability can be exploited, any alternative mitigations etc would help customers & partners plan the right priorities on the components of the response. 

1,156 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @AlexOmetis 

I'm working on getting you a detailed response. I've also clarified the response in the thread to mirror the answer I gave in the FAQ as it is clearer than what I replied within the thread itself. 

All the best,
Sonja

1,083 Views
afujikawa
Partner - Creator II
Partner - Creator II

Hello @Sonja_Bauernfeind,

1. Is it possible for there to be no MSI file on the disk?
2. If there is no MSI file on the disk, is it unnecessary to perform the actions described in this article?

Environment: QlikView May 2022 IR

Best regards,
afujikawa

868 Views