QlikView - New Security Patches Available Now - Page 5 - Qlik Community

Sonja_Bauernfeind · ‎2024-03-20

Update 21st of March 16:00 CET: published CVE number
Update 27th of March 10:45 CET: added FAQ

Hello Qlik Users,

A security issue in QlikView has been identified and patches have been made available. Details can be found in the Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863).

Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:

QlikView May 2023 SR1 (12.80.20100)
QlikView May 2022 SR2 (12.70.20200)

Call to Action

As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:

QlikView May 2023 SR2 (12.80.20200)
QlikView May 2022 SR3 (12.70.20300)

This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.

Additional Details

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading QlikView.
Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software.
Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.
The information in this post and Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863) is disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Frequently Asked Questions

Q: Is the vulnerability present in the QlikView Plugin or other QlikView products?
A: The vulnerability is related to the MSI files on disk.

Q: Will deleting the MSI files mitigate the issue?
A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.

sis · ‎2024-05-10

@Sonja_Bauernfeind

Is this matter still under investigation?
I would be grateful if you could tell me the status of the investigation.

Thank you in advance.

Sonja_Bauernfeind · ‎2024-05-17

Hello all,

I have been away for a while, let me see how this progressed during my absence.

All the best,
Sonja

sis · ‎2024-06-07

@Sonja_Bauernfeind

How is the status of the investigation of the following questions?

Is the "access" described in "a user with existing access to the Windows environment running QlikView or the QlikView plugin" an OOS-level access, e.g. on a remote desktop?
If the user only accesses at the browser level, is it safe to assume that there is no problem?

Sonja_Bauernfeind · ‎2024-06-20

Hello @sis

Is the "access" described in "a user with existing access to the Windows environment running QlikView or the QlikView plugin" an OOS-level access, e.g. on a remote desktop?
If the user only accesses at the browser level, is it safe to assume that there is no problem?

Answer: Local system user pertains to anyone that has access to the Windows environment. If the user has explicit external access to the web server (i.e Qlikview webpage), then they would not be able to carry this attack. HOWEVER, if the user has remote desktop access, then they would be able to carry out this behaviour. That would make them a local system user.

This site says "A race condition exists in the QlikView installer executable".
I would like to know if the presence of a race condition in the installer executable also means that the QlikView environment that is already installed is also vulnerable.

Answer: This is an installer issue primarily. The installer uses System level access to perform system level tasks for QlikView installation process, and therefore there is a need for system level access. The issue here is that this was done improperly leading to the race condition addressed by this fix.

In other words, even if it can be executed with administrator privileges, is it correct to understand that a non-administrator user cannot stop or destroy the system? However, in your response to others, you say that "These installers can potentially be launched by a local user without Administrative Privileges". Do we have to worry about local users starting, stopping, or modifying the system?

Answer: A local non-administrator Windows user is able to trigger this repair mechanisim which is responsible for the vulnerability. If successfully carried out, the user would then have full control over the machine. That includes starting, stopping, or modifying the system.

@afujikawa

My understanding is that QlikViewServerx64.msi is generated by the execution of QlikViewServer_x64Setup.exe.
Also my understanding is that in the environment where I run QlikViewServer_x64Setup.exe, QlikViewServerx64.msi is always generated.
Am I correct in my understanding?

Answer: Correct. Executing the EXE will generate the MSI file found in the temp installation folder.

@Saltenis

Could you advise where it is leaving those .MSI files exactly (for desktop and server versions to be precise)?

Answer: The location of the files isn't the issue. It's the existence or availability of the files for a regular user on the server. So placing these installers in other locations will not fix this issue as we can not be sure that all instances of the MSI have been removed correctly. Upgrading to the latest will make sure all prior cached files are purged from the system.

All installations that have ability to be repaired after installtion are affected. Desktop and Server both allow for that funcationality, but I am unclear if that is the case for plugin.

The vulnerability is in the installer itself. If the repair functionality exists for the affected versions of the installers, then the problem still exists.

For any additional follow up questions, please reach out to Qlik Support directly for a direct engagement.

All the best,
Sonja