PostgreSQL vulnerability Nov 2024 CVE-2024-10979

Ced_Eural · ‎2024-11-21

Hi everybody,

I came accross thi security issue that affects the bundled Postgre included into Qlik Sense May 2024.(version 14.8)

CVE-2024-10979

I'd like to know if a security patch will be released to fix the issue or if there is any suggestion to face the problem.

The only idea I have is to unbundle the database and upgrade it to the last patch.

Thanks for the support

Regards

jeremyseipel

@Sonja_Bauernfeind can you check with R&D on this. The CVE is rated as high. From what I am seeing in the qlik forum post below, unbundling postgres is not supported, so we cannot resolve with Qlik releasing a patch.

https://community.qlik.com/t5/Qlik-NPrinting/External-NPrinting-Repository/td-p/1788527

Sonja_Bauernfeind

Hello @Ced_Eural and @jeremyseipel

For Qlik Sense Enterprise on Windows, unbundle PostgreSQL. This will allow you to upgrade it independently of the Qlik Sense Enterprise on Windows release schedule. Though please review the System Requirements to ensure your currently used version supports the PostgreSQL version you plan to upgrade to.

As for Qlik NPrinting, @Ced_Eural, a case may be needed to investigate further, but I've also contacted my contacts internally.

All the best,
Sonja

Don't forget to Like posts and use the "Accept as Solution" button on content that answered your question! Thanks 🙂

Sonja_Bauernfeind

Hello @jeremyseipel

Please open a support ticket regarding CVE-2024-10979 in combination with Qlik NPrinting (not Qlik Sense Enterprise on Windows). This will get the correct pieces moving.

All the best,
Sonja

Don't forget to Like posts and use the "Accept as Solution" button on content that answered your question! Thanks 🙂

jeremyseipel

Thanks Sonja. A member of my team has a case open for this. Just wanted to make sure it got additional traction and others like us searching didn't find a thread with no answers.

I am curious as to why unlike qlik sense, the db cannot be unlinked. Since NP doesn't support high availability there hasn't been a real reason to do it, unless a client had a mandate of using RDS over local postgres, which I haven't encountered.

Sonja_Bauernfeind

Hello @jeremyseipel

Thanks for the heads-up! I located the case.

All the best,
Sonja

Don't forget to Like posts and use the "Accept as Solution" button on content that answered your question! Thanks 🙂

David_Friend

Hey @jeremyseipel the R&D team responsible for NPrinting is also responsible for the Tabular Reporting in Qlik Cloud, since they are focused on that I don't anticipate new features or architectural changes to NPrinting 😞

Ced_Eural

Hi @Sonja_Bauernfeind

on https://community.qlik.com/t5/Official-Support-Articles/Upgrading-and-unbundling-the-Qlik-Sense-Repo...

into the Known limitation says:

"Cannot migrate a 14.8 embedded database to a standalone"

I'm running Qlik Sense May 2024.(Postgresql version 14.8)

Can I use the Qlik Sense PostgreSQL installer to install a new instance , manually migrate the DB and then update the postgre?

Is there any guide to follow?

Thanks for your help

Regards

jeremyseipel

@David_Friend totally understand and unfortunately I agree, I don't expect major changes to NPrinting either. As long as we get a fix for this asap, then I think we are good.

I saw that Qlik just released information about a major vulnerability for Qlik sense that requires an upgrade, so it looks like it will be a busy few weeks for upgrades.

jeremyseipel

@Sonja_Bauernfeind or @David_Friend any word on a patch update from Qlik to resolve this issue for NP?

Administration

Security