QlikView - New Security Patches Available Now - Page 4 - Qlik Community

Sonja_Bauernfeind · ‎2024-03-20

Update 21st of March 16:00 CET: published CVE number
Update 27th of March 10:45 CET: added FAQ

Hello Qlik Users,

A security issue in QlikView has been identified and patches have been made available. Details can be found in the Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863).

Today, 20th of March 2024, we have released two service releases across the latest versions of QlikView to patch the reported issue. All versions of QlikView prior to and including the releases below are impacted:

QlikView May 2023 SR1 (12.80.20100)
QlikView May 2022 SR2 (12.70.20200)

Call to Action

As no workarounds can be provided, Customers should upgrade QlikView to one of the following versions that contain the fix:

QlikView May 2023 SR2 (12.80.20200)
QlikView May 2022 SR3 (12.70.20300)

This issue only impacts QlikView. Other Qlik data analytics products including Qlik Cloud and Qlik Sense Enterprise on Windows are not impacted.

Additional Details

All Qlik software can be downloaded from our official Qlik Download page (customer login required). Follow best practices when upgrading QlikView.
Qlik provides patches for major releases until the next Initial or Service Release is generally available. See Release Management Policy for Qlik Software.
Notwithstanding, additional patches for earlier releases may be made available at Qlik’s discretion.
The information in this post and Security Bulletin High Severity Security fix for QlikView (CVE-2024-29863) is disclosed in accordance with our published Security and Vulnerability Policy.

The Security Notice label is used to notify customers about security patches and upgrades that require a customer’s action. Please subscribe to the ‘Security Notice’ label to be notified of future updates.

Frequently Asked Questions

Q: Is the vulnerability present in the QlikView Plugin or other QlikView products?
A: The vulnerability is related to the MSI files on disk.

Q: Will deleting the MSI files mitigate the issue?
A: Qlik does not consider removing the MSI files a complete workaround. A server user can restore them.

sis

@Sonja_Bauernfeind

Has there been any progress in investigating my question?
I would be grateful if you could tell me the status of the survey.

Thank you in advance.

Sonja_Bauernfeind

Hello @sis

I will update you as soon as I've received the pending information.

All the best,
Sonja

m_teraji

Hello @Sonja_Bauernfeind

The May 2023 SR2 MSI file (IE Plugin) is on the disk (local folder or file server).
Is it okay if the MSI file is located anywhere?

I am installing the IE plugin by extracting the MSI file from the QvPluginSetup.exe file.

Best regards,
mteraji

Sonja_Bauernfeind

Hello @m_teraji

As mentioned in the original bulletin, moving or removing the MSI files is not considered a suitable mitigation method.

All the best,
Sonja

m_teraji

Hello @Sonja_Bauernfeind

Thank you for your reply.

I installed the IE plugin by extracting the MSI file from the QvPluginSetup.exe file.(Silent Installation)
The version is May2023SR2.
I understand that this issue has been resolved as May2023SR2 release.
Does it matter which folder the MSI of fixed version May2023SR2 is located?

Best regards,
mteraji

Sonja_Bauernfeind

Hello @m_teraji

The location of the file does not need to be taken into account. As you are on a fixed version, you are not affected by the vulnerability.

My apologies for missing the version you mentioned in your first post!

All the best,
Sonja

manjunathngnvs

This is about Qlik Sense Enterprise for Windows Remote Code Execution (RCE) Vulnerability (Authenticated) - CVE-2023-48365, there is one asset detected with this vulnerability and per the below advisory there is no download page available in the download link, please advise

Customers should upgrade Qlik Sense Enterprise for Windows to a version containing fixes for these issues. Fixes are available for the following versions:

August 2023 Initial Release
May 2023 Patch 4
February 2023 Patch 8
November 2022 Patch 11
August 2022 Patch 13

All Qlik software can be downloaded from our official Qlik Download page (customer login required).

Sonja_Bauernfeind

Hello @manjunathngnvs

If you see problems accessing the download page, please contact our support agents through chat (the green Chat Now button in the bottom right corner of the screen). Provide them with information on what issue you are facing accessing the page (any error messages or a screenshot).

All the best,
Sonja

manjunathngnvs

Thank you for your advise, I got below answer from the chat bot and found the link to download

To download Qlik Sense Enterprise, you can visit the Qlik Download Site. Here are the steps to download the installation files:
Go to the Qlik Community website.
Navigate to Support > Product News > Product Downloads.
On the Product Downloads page, select "Qlik Data Analytics" or "Qlik Data Integration" based on your requirements.
Choose the desired product from the available options.
Use the filters to narrow down your list of possible downloads.
Click on the download link in the Download Assets table to start the download.
Please note that the specific version and release of Qlik Sense Enterprise may vary. Make sure to select the appropriate version that suits your needs.

Saltenis

@Sonja_Bauernfeind

It's been a month since you forwarded our questions to responsible team, do we have any ETA on this?