Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-09-20 10:25 AM

Qlik Sense Enterprise for Windows - New Security Patches Available Now

Edited 20th November 2023: CVE number updated.
Edited December 1st 2023: Added November 2023 IR release

Hello Qlik Users,

A security issue in Qlik Sense Enterprise for Windows has been identified, and patches have been made available. Details can be found in the Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365).

Today, we have released eight service releases across the latest versions of Qlik Sense to patch the reported issues. All versions of Qlik Sense Enterprise for Windows prior to and including these releases are impacted:

  • August 2023 Patch 1
  • May 2023 Patch 5
  • February 2023 Patch 9
  • November 2022 Patch 11
  • August 2022 Patch 13
  • May 2022 Patch 15
  • February 2022 Patch 14
  • November 2021 Patch 16


No workarounds can be provided. Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. The listed fixes also address CV-2023-41266 and CVE-2023-41265 (link).

  • November 2023 IR
  • August 2023 Patch 2
  • May 2023 Patch 6
  • February 2023 Patch 10
  • November 2022 Patch 12
  • August 2022 Patch 14
  • May 2022 Patch 16
  • February 2022 Patch 15
  • November 2021 Patch 17
This issue only impacts Qlik Sense Enterprise for Windows. Other Qlik products including Qlik Cloud and QlikView are NOT impacted.

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading Qlik Sense.

Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software. Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.

The information in this post and Security Bulletin Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-48365) is disclosed in accordance with our published Security and Vulnerability Policy.

 

Clarifications and Frequently Asked Questions:

What can be done to mitigate the issue?

No mitigation can be provided. An upgrade should be performed at the earliest. As per Qlik's best practices, the proxy should not be exposed to the public internet, which reduces the attack surface significantly.

What authentication methods are affected?

All authentication methods are affected.

Are environments with HTTP disabled impacted?

Environments will be affected regardless if HTTP or HTTPS are in use. These vulnerabilities affect the HTTP protocol overall, meaning even if HTTP is disabled, the environment remains vulnerable.

These attacks don’t rely on intercepting any communication, and therefore, are indifferent whether the HTTP communication is encrypted or not.

Kind regards, and thank you for choosing Qlik,

Qlik Global Support

15,965 Views
49 Comments
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-01 10:45 AM

Hello @PeterOG 

Correct. Patches are accumulative. 

All the best,
Sonja

2,211 Views
mikaelsc
Specialist
Specialist
‎2023-12-06 06:48 AM

Hello @Sonja_Bauernfeind , seems microsoft sent out an "alert" recently (again?) about this.  

mikaelsc_0-1701862888429.png

 

it may be a naive question, but apparently it is possible to "register" qlik versions/patches/security stuff (as Qlik) so that Defender can identify if an installation is at risk... 

is this something that Qlik would do? 

mikaelsc_1-1701862951236.png

Thanks

 

2,004 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-06 07:37 AM

Hello @mikaelsc 

Thank you for getting in touch! I will take this right over to the appropriate team.

All the best,
Sonja

 

1,964 Views
Muni1
Contributor III
Contributor III
‎2023-12-09 09:23 AM

hi,

We have upgraded our Qlik Sense tool from November 2022 patch 8 to May 2023 patch 6 to avoid security vulnerabilities. but we see one of the functionality is breaking in mashup after upgrade to May 2023 patch6.

any suggestions please.

Thanks in advance.

 

 

1,836 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-11 01:27 AM

Hello @Muni1 

Please post about the issue you experience (including symptoms and possible error messages) in our Qlik Sense Integration forum for much better access to your peers and our support agents. We also always invite you to start a chat with us (see the Chat Now button in the bottom right corner).

All the best,
Sonja 

1,714 Views
eyalnir_qlik
Partner - Creator
Partner - Creator
‎2023-12-13 02:23 AM

Hello @Sonja_Bauernfeind 

Our customer point us to critical security issue after "Digital agency"  published Security and Vulnerability score 8.8. 

Details : 
CVE- 2023-5869 – Integer Overflow vulnerability could allow a user to match with a DB direct via address
to memory which may cause code to run, in addition the user can read the memory  

Sources :

https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

Are those Security Issues already included in Qlik latest patch releases ?

Thanks in advance.

@rotmangadi @boaz_shatz 

1,556 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-13 10:17 AM

Hello @eyalnir_qlik, CVE-2023-5869 is a PostgreSQL vulnerability. To address PostgreSQL vulnerabilities, upgrade PostgreSQL. One reason why Qlik has made it easy for you to unbundle (detach) the PostgreSQL instance from Qlik Sense with QPI is that you can then seamlessly upgrade PostgreSQL (as long as your version of Qlik Sense supports the version of PostgreSQL).

All the best,
Sonja  

 

1,412 Views
C-Hopf
Partner - Contributor
Partner - Contributor
‎2023-12-15 05:41 AM

Hi @Sonja_Bauernfeind,

since we work with sensitive data, I have to ask:

Does it means ALL Qlik Sense Versions are infected at the moment?

The Nov23 Version install the 14.5 and has to be updated to 14.10.

Ok, 9.6 ist out of service, but 12.5, must be updated to 12.17 or 14.10.

So, everybody must update to the November Version right now, and have to update SQL manually?

Is that right?

br

Christian 

1,221 Views
Sonja_Bauernfeind
Digital Support
Digital Support
‎2023-12-15 07:51 AM

Hello @C-Hopf 

Allow me a while to get back to you on this. To clarify: You mean the PostgreSQL vulnerability (CVE-2023-5869), rather than the vulnerabilities this blog post is about (CVE-2023-48365), CV-2023-41266 and CVE-2023-41265), correct?

All the best,
Sonja

1,114 Views
C-Hopf
Partner - Contributor
Partner - Contributor
‎2023-12-15 07:58 AM

Hi,

yes it is all about CVE-2023-5869.

edit: Yes not the Nov23 Version, but everybody have to unbundle the SQL and update it manually?!?!

br

1,053 Views
Subscribe by Topic