Skip to main content
Woohoo! Qlik Community has won “Best in Class Community” in the 2024 Khoros Kudos awards!
Announcements
Nov. 20th, Qlik Insider - Lakehouses: Driving the Future of Data & AI - PICK A SESSION
Sonja_Bauernfeind
Digital Support
Digital Support

Update 21st of March 16:00 CET: published CVE number
Update 27th of March 10:45 CET: added FAQ

Hello Qlik Users,

A security issue in QlikView has been identified and patches have been made available. Details can be found in the Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863).

Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:

  • QlikView May 2023 SR1 (12.80.20100)
  • QlikView May 2022 SR2 (12.70.20200)

 

Call to Action

As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:

  • QlikView May 2023 SR2 (12.80.20200)
  • QlikView May 2022 SR3 (12.70.20300)
This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.

Additional Details


The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates. 

Frequently Asked Questions

Q: Is the vulnerability present in the QlikView Plugin or other QlikView products? 
A: The vulnerability is related to the MSI files on disk.

Q: Will deleting the MSI files mitigate the issue?
A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.

44 Comments
Sonja_Bauernfeind
Digital Support
Digital Support

@AlexOmetis 

Your Question: Can you confirm that this is only an issue when running an install or upgrade rather than an ongoing issue in an already installed environment? Or is there a component of the installer that can be leveraged (perhaps via uninstaller) to expose this? 

Looking at the Release Notes which lists the bug, it seems it's to do with leaving MSI files on disk that would be accessible to non-admins... which I guess means it affects existing installs too. Although this doesn't sound like a "race condition" as described in the security bulletin.

Answer: The vulnerability is caused by the installers being left behind post-upgrade or installation. These installers can potentially be launched by a local user without Administrative Privileges.

It exists in all QlikView installations. 

Your Question: Also clarity on whether it affects QlikView Server AND QlikView Desktop or just one or the other would be useful.

Answer: This issue is present in all QlikView Installers. Any package is affected. 

@sis 

Your Question: What kind of events can be caused by being able to run with administrator privileges?
For example, is it possible for the system to be stopped or destroyed without permission?

Answer: A non-administrator user should never be able to launch the QlikView Installer and modify the installation. Applying the listed patches plugs this vulnerability. 

@afujikawa 

QlikView May 2022 IR is affected by this vulnerability. You should upgrade. Removing/deleting the MSI files is not considered a viable mitigation. 

 

All the best,
Sonja

1,968 Views
Saltenis
Contributor
Contributor

Could you advise where it is leaving those .MSI files exactly (for desktop and server versions to be precise)?

1,922 Views
sis
Partner - Specialist
Partner - Specialist

@Sonja_Bauernfeind 

Thanks for the answer.

In other words, even if it can be executed with administrator privileges, is it correct to understand that a non-administrator user cannot stop or destroy the system?

However, in your response to others, you say that "These installers can potentially be launched by a local user without Administrative Privileges".
Do we have to worry about local users starting, stopping, or modifying the system?

1,804 Views
afujikawa
Partner - Creator II
Partner - Creator II

@Sonja_Bauernfeind 

Thank you for the quick reply.

The MSI file QlikViewServerx64.msi is located in the following folder on our server machine.
00071230_kka_0329.png
My understanding is that QlikViewServerx64.msi is generated by the execution of QlikViewServer_x64Setup.exe.
Also my understanding is that in the environment where I run QlikViewServer_x64Setup.exe, QlikViewServerx64.msi is always generated.
Am I correct in my understanding?

Best regards,
afujikawa

1,758 Views
sis
Partner - Specialist
Partner - Specialist

@Sonja_Bauernfeind 

Is this vulnerability not only an installation issue, but also a vulnerability in a Windows environment running QlikView or the QlikView plug-in, i.e. in an environment where QlikView is used after QlikView has been installed?

1,616 Views
xudo
Contributor II
Contributor II

Hello @Sonja_Bauernfeind , thanks for your support. If we shift-delete the MSI file, so that a server user cannot restore them, would that be considered a sufficient workaround please? Best, Wouter

1,533 Views
Sonja_Bauernfeind
Digital Support
Digital Support

@xudo 

Removing the MSI files is not considered a sufficient mitigation. 

@sis I need more information on your second question (in an environment where QlikView is used after QlikView has been installed). 

@sis @Saltenis @afujikawa I have forwarded your follow-up questions to our security and product team contacts internally.

All the best,
Sonja 

1,441 Views
sis
Partner - Specialist
Partner - Specialist

@Sonja_Bauernfeind 

High Severity Security fix for QlikView (CVE-2024-29863)
https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fix-for-QlikView-CVE-...

This site says "A race condition exists in the QlikView installer executable".
I would like to know if the presence of a race condition in the installer executable also means that the QlikView environment that is already installed is also vulnerable.

Thanks.

1,298 Views
sis
Partner - Specialist
Partner - Specialist

@Sonja_Bauernfeind 

I have one more question.

Is the "access" described in "a user with existing access to the Windows environment running QlikView or the QlikView plugin" an OOS-level access, e.g. on a remote desktop?
If the user only accesses at the browser level, is it safe to assume that there is no problem?

Thanks.

1,225 Views
Sonja_Bauernfeind
Digital Support
Digital Support

Hello @sis Thank you for the clarification. I have forwarded everything, including your new question.

All the best,
Sonja 

1,116 Views