Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 12, 2021 2:48:59 AM
Nov 11, 2014 6:10:08 AM
Analyzing endpoints for Qlik Sense Enterprise on Windows, using for example https://www.ssllabs.com/ssltest/analyze.html may indicate:
- The site being vulnerable for POODLE attacks and Insecure renegotiation
- Certificates using SHA1 instead of SHA256 cipher
- Potential CVE-2019-1559 vulnerability
Environment:
Qlik Sense Enterprise on Windows
Protecting the platform
Please review Qlik Sense Enterprise on Windows securityfor information on how to protect the Qlik Sense platform.
The security in Qlik Sense Enterprise does not depend only on the Qlik software. It also relies on the security and hardening of the environment that Qlik Sense operates in. This means that the security of, for example, the operating system and the cryptographic ciphers available have to be set up and configured to provide the security needed for Qlik Sense.
See Qlik Sense: TLS Support on what protocols and ciphers are supported in which version.
Mitigate POODLE attack
To mitigate POODLE attacks, one step is to completely disable SSLv3.0 on the server.
See Microsoft Security Advisory 3009008 for more instructions on how to accomplish this and the impact of doing so.
See Qlik Sense: TLS Support on what protocols and ciphers are supported in which version.
Mitigate Zombie POODLE / GOLDENDOODLE attack
To mitigate POODLE attacks, one step is to completely disable all cipher suites with the string CBC. This needs to be carried out in the Windows OS.
Insecure renegotiation
Insecure renegotiation may be mitigated by disabling renegotiation. This can be done at the OS level by adding the following Windows registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"DisableRenegoOnServer"=dword:00000001
However, it is recommended to review all Schannel settings ( Secure Channel ) and that a Windows Administrator should configure it to meet their requirements.
See Qlik Sense: TLS Support on what protocols are supported in which version.
Note: Any changes at the OS level must be thoroughly tested as they may cause other software to no longer function as expected, or clients may be unable to communicate with the server. If any side effects are experienced, the changes should be reverted back to the original settings.
