Qlik is aware that a set of well publicized vulnerabilities have been identified in the popular Java Spring Framework. These vulnerabilities have been assigned references CVE-2022-22965 (also known as "Spring4Shell"), CVE-2022-22947, CVE-2022-22950 and CVE-2022-22963.
Qlik has been diligently reviewing our product suite since we’ve become aware of these issues. We want to ensure Qlik users that your security is our upmost priority. As always, we recommend customers stay up-to-date on the most recent releases available for your product.
Products Not Impacted
The following products are NOT affected:
Client-Managed Qlik Sense Enterprise and QlikView (all versions)
GeoAnalytics (all versions)
Qlik Compose (all versions)
Qlik Compose for Data Lakes (all versions)
Qlik Compose for Data Warehouses (all versions)
Qlik Enterprise Manager (all versions)
Qlik Replicate (all versions) **
** Qlik Replicate contains libraries that contain the affected code, but they are not used in a way that is exploitable. These will be removed in a upcoming patch.
Our testing shows only client-managed versions of Qlik Catalog are directly impacted (by CVE-2022-22965 and CVE-2022-22950) and a patch will be available as Feb 2022 SR2 and for the May 2022 release. Mitigation steps for earlier releases are linked in this knowledge base article.
Update 4/04/2022 8:15p.m EST
Qlik Catalog Feb 2022 SR2 is now available on the Downloads Site. Please be sure to be logged into Qlik Community with your Qlik ID to access.
Please subscribe to our Support Updates blog for continued updates as they become available.