It is very rare that there is a security vulnerability in a Qlik software, which makes it a very secure product. This also means that no one really has a focus on it.
However, Qlik has just announced a serious security vulnerability and has also immediately closed it with corresponding updates. These updates must be made promptly, however, as Qlik Sense does not make automatic updates - these must be made manually.
In this article we explain the vulnerability and what you need to do to fix it.
Which versions are affected?
Only Qlik Sense Enterprise for Windows is affected, i.e. the locally installed version of Qlik Sense:
Please check which version your Qlik Sense Server for Windows is running. All versions of Qlik Sense Enterprise for Windows before and including these versions are affected:
- May 2023 Patch 3
- February 2023 Patch 7
- November 2022 Patch 10
- August 2022 Patch 12
If you are using one of these versions, or an older version, you should definitely update.
The message from Qlik
This is a copy of the official Qlik message:
„Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including unauthenticated remote code execution (RCE).
These issues were identified and responsibly reported to Qlik by Adam Crosser and Thomas Hendrickson of Praetorian. No reports of them being exploited have been received.
Affected Software
All versions of Qlik Sense Enterprise for Windows prior to and including these are impacted:
- May 2023 Patch 3
- February 2023 Patch 7
- November 2022 Patch 10
- August 2022 Patch 12
Severity Rating
Using the CVSS V3.1 scoring system (https://nvd.nist.gov/vuln-metrics/cvss) , Qlik rates one as high severity and one as critical.
Vulnerability Details
CVE-2023-41266 (QB-21220) Path traversal in Qlik Sense Enterprise for Windows
Severity: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High)
Due to improper validation of user supplied input, it is possible for an unauthenticated remote attacker to generate an anonymous session which allows them to perform HTTP requests to unauthorized endpoints.
CVE-2023-41265 (QB-21222) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows
Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical)
Due to improper validation of HTTP Headers a remote attacker is able to elevate their privilege by tunnelling HTTP requests, allowing them to execute HTTP requests on the backend server hosting the repository application.
Recommendation
Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:
- August 2023 Initial Release
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 11
- August 2022 Patch 13
All Qlik software can be downloaded from our official Qlik Download Site (customer login required).“
What do you have to do now?
If your Qlik Sense Enterprise for Windows is affected, you need to update your Qlik Sense Server as soon as possible - because by now, every hacker knows about this vulnerability.
If you have one of the following versions of Qlik Sense Enterprise for Windows installed, everything is fine:
- August 2023 Initial Release
- May 2023 Patch 4
- February 2023 Patch 8
- November 2022 Patch 11
- August 2022 Patch 13
If a minor version is used, an update should definitely be done in a timely manner!
Example: Version May 2023 SR4 is safe. If your Qlik Sense Server is running e.g. May 2023 SR3, it is imperative to update to May 2023 SR4 or August 2023 IR (Initial Release).
We can help you!
We love Qlik and are happy to help you review your Qlik Sense environment and do the update.
Just drop us a line and we'll get back to you as soon as possible:
Calling is also a nice thing: +49 40 60946300
Or: You can also schedule a free Online Meeting .
