Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:
QlikView May 2023 SR1 (12.80.20100)
QlikView May 2022 SR2 (12.70.20200)
Call to Action
As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:
QlikView May 2023 SR2 (12.80.20200)
QlikView May 2022 SR3 (12.70.20300)
This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.
Additional Details
All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading QlikView.
The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.
Frequently Asked Questions
Q: Is the vulnerability present in the QlikView Plugin or other QlikView products? A: The vulnerability is related to the MSI files on disk.
Q: Will deleting the MSI files mitigate the issue? A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.
@Sonja_Bauernfeind can you share the location of the files that are being cleanup up by the patch? I have searched through a few QV installs and so far haven't found any MSI files in the Qlik folders in program data or program files. The only executable type files I have come across is .exe's.
@QliksterMind you are thinking the exact same thing I was. For environments where you cannot easily get the downtime or if there is a case where a version of QlikView is older than the patches released, removing the files or locking down the folders would a work around.
@Sonja_Bauernfeind - thanks for the updates. However the answer regarding which products doesn't make much sense to me. MSI files are the installer files that are unpacked as part of the installation - they only come as part of a product install. Are you saying the MSI files for all QlikView installers were insecurely stored and that they could be used to elevate privilege for any of those installers?
It makes a big difference if we need to upgrade just QlikView Server or QlikView Desktop & Plugin as well to mitigate this issue. Also given that it's a local, not remote, vulnerability, the risk profile is very different for a server or a client as the server is less likely to have unprivileged users logging in that could abuse this vulnerability.
I get that upgrading all of them is the ideal solution, but more information on which installers, how the vulnerability can be exploited, any alternative mitigations etc would help customers & partners plan the right priorities on the components of the response.
I'm working on getting you a detailed response. I've also clarified the response in the thread to mirror the answer I gave in the FAQ as it is clearer than what I replied within the thread itself.
1. Is it possible for there to be no MSI file on the disk? 2. If there is no MSI file on the disk, is it unnecessary to perform the actions described in this article?
