Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
Pamela_Whitney
Former Employee
Former Employee

Qlik releases new QlikView Service Releases and new Qlik Sense Patches to address a security vulnerability.

Dear Qlik users,

Today we have released four new service releases across all currently supported major versions of QlikView* and six new patches across the latest versions of Qlik Sense. If you are using the following versions, this information is for you:

  • QlikView 11.20
  • QlikView 12.00*
  • QlikView 12.10
  • QlikView 12.20
  • QlikView 12.30
  • Qlik Sense Enterprise any 2017 version or prior
  • Qlik Sense Enterprise February 2018
  • Qlik Sense Enterprise April 2018
  • Qlik Sense Enterprise June 2018
  • Qlik Sense Enterprise September 2018
  • Qlik Sense Enterprise November 2018
  • Qlik Sense Enterprise February 2019 

These new service releases and patches include a fix for a security vulnerability, details of which can be found in Security Bulletin SB 000069985.

Known internally as QLIK-94388, each new service release and patch includes, at the minimum, the fix for this vulnerability. The patches for the following Qlik Sense releases also includes other, non-security related product defect fixes.

  • June 2018 Patch 3
  • September 2018 Patch 4
  • November 2018 Patch 4

For details, please see the attached release notes.  For all other release notes, please refer to our download site.

Please note this patch is branched directly for the latest patch. For example, by applying Qlik Sense February 2019 Patch 2, you will also receive every fix released in Qlik Sense February Patch 1. For more details about the fixes applied in the previous patch(es), please have a look at the release note. 

The information in this post and Security Bulletin 000069985 are disclosed in accordance with our published Security and Vulnerability Policy.

 

Updated 5/1/2019: For further reference, we have created a list of frequently asked questions and answers which can be found here SB 000069985 FAQ.  

 

* QlikView 12.00 is no longer officially supported.   QlikView 11.20 is under Extended Support.

24 Comments
Ronnie_Taborn
Support
Support

Or,

I installed February 2019 IR and created some test apps with the default image thumbnail.  I installed the February Patch 1 and the default thumbnails changed from the Qlik circles to a blue background. I created some more apps and changed the thumbnail  from to something custom and installed February Patch 1. The thumbnails didn't change for the custom apps. The thumbnail change is the default for February Patch 1 and Patch 2.  The change isn't a bug but the default.  We are updating the documentation.  Please let me know if you have any questions. 

0 Likes
6,332 Views
Bill_Britt
Former Employee
Former Employee

It does look like the change was with Patch 1

0 Likes
6,299 Views
Bill_Britt
Former Employee
Former Employee

If you want the old one back you can try this.

 

Go to C:\Program Files\Qlik\Sense\Client\hub\img\core\static and rename the Default_thumbnail_app.svg for back up. Then take app.png and convert it to svg file. (https://onlineconvertfree.com/) then rename the converted file and put it in the above location.

 

 

0 Likes
6,240 Views
ToniKautto
Employee
Employee

Default icons have changed as part of Qlik's re-branding. I would recommend that you do not alter the default icon directly in the file system, as it will be reset on your next update/upgrade. Instead look at applying the old icon as a custom log on each app, if it is important to keep the old icon.  

@Or it has not been the intention that users can share work area items as part of collaboration. Your observation is an effect of the hub navigation improvements included in Feb 2019 Patch 1 and later, which enforces a stricter work area control from the product. If this change causes major problems for you, please contact Qlik Support (https://support.qlik.com) for further help. 

The  documented collaboration process in Qlik Sense is based on streams; https://help.qlik.com/en-US/sense/February2019/Subsystems/Hub/Content/Sense_Hub/Publishing/publishin...

6,172 Views
ToniKautto
Employee
Employee

@nvankorlaar industry best practice around security vulnerabilities is to no disclose the exact details, as this can be used against customers by malicious attackers. This vulnerability score is ranked as High, which means you are highly recommended to apply the patch on your environment to keep it secure. 

The exposed vulnerability gives access to files that are available on the local server. I think that is clear enough detail to motivate applying a patch on your server, so that your files can not be exposed. 

0 Likes
6,156 Views
Or
MVP
MVP

@ToniKauttoI have no major problems with the new methodology, it was just surprising to see the undocumented change. There were certain advantages to being able to see other people's Work area, particularly when trying to assist a developer with their code, but it's nothing that can't be worked around using screen sharing instead. Ideally, a global "Everyone's Work" stream would be available (assuming one had proper permissions), separate from the regular "Work" stream, but I guess that's not likely to happen. Having to publish files just so someone else can look at your code or designs is simply not very efficient, but it's how most of our developers work anyway.

Insofar as the icons, again, this was not documented anywhere that I found. I wish they'd let us know when they change things, particularly things immediately visible to users. On a personal level I quite dislike the new image used for apps, as I feel it clashes with the rest of the default Qlik Sense design - everything is white and clean and all of the sudden there's this group of large blue blocks. Again, this is nothing that we can't work around - we just went into each app and manually set the image to the original Qlik circles - but being aware of this in advance would have been nice.

 

 

0 Likes
6,033 Views
Bastien_Laugiero

Hello @Or

Thank you for your feedback. 

Regarding the fact that you cannot see the application from other's workstream is a behavior change that happened in Qlik Sense February Patch 1 and Qlik Sense November 2018 Patch 3 after improving performance in the hub as described here: https://community.qlik.com/t5/Qlik-Support-Updates-Blog/Qlik-Sense-February-2019-Patch-1-now-availab...

Since the Qlik Sense Patches are cumulative, by applying Patch 2 you also received the fixes implemented in Patch 1.

There is a setting to revert back to the old behavior described here https://support.qlik.com/articles/000068297

 

Regarding the application thumbnail, it's also a change implemented in Qlik Sense February 2019 Patch 1. it does not seem that it has been documented indeed. This has been brought up internally and should be resolved shortly. 

Thank you and hope this helps.

 

0 Likes
5,998 Views
Or
MVP
MVP

@Bastien_LaugieroThanks for that link on the new Work behavior - quite helpful. I went over the patch notes before I installed the upgrade and I went over them again just now. I don't see any mention of this new behavior anywhere in the document (unless it's buried in the "Bugs fixed" section). Either it's there and I'm just missing it, or this one also escaped the documentation team.

0 Likes
5,963 Views
ronnystillman
Partner - Contributor
Partner - Contributor

Hi. Will this security bug be fixed in Qlik Sense April 2019 release?

0 Likes
5,396 Views
Pamela_Whitney
Former Employee
Former Employee

Hi @ronnystillman ,

Yes, this issue has been addressed in our Qlik Sense April 2019 release.

0 Likes
5,324 Views