Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Pajik3909
Contributor II
Contributor II
‎2023-10-25 06:31 AM

SSL/TLS: Renegotiation DoS Vulnerability

Hello everybody,

I received information about the problem with renegotiation DoS Vulnerability from our IT department. See message below:

Hostname: qlikxxxxxx,
Host Ip: 
Taskname:

Severity: Low,
Description: SSL/TLS: Renegotiation DoS Vulnerability (CVE-2011-1473, CVE-2011-5094)
Summary: The remote SSL/TLS service is prone to a denial of service (DoS) vulnerability.
Insight: The flaw exists because the remote SSL/TLS service does not properly restrict client-initiated renegotiation within the SSL and TLS protocols. Note: The referenced CVEs are affecting OpenSSL and Mozilla Network Security Services (NSS) but both are in a DISPUTED state with the following rationale: > It can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. Both CVEs are still kept in this VT as a reference to the origin of this flaw.
Solution: Users should contact their vendors for specific patch information. A general solution is to remove/disable renegotiation capabilities altogether from/in the affected SSL/TLS service.
Nvt: 1.3.6.1.4.1.25623.1.0.117761
CVE: CVE-2011-1473, CVE-2011-5094>
Affected: Every SSL/TLS service which does not properly restrict client-initiated renegotiation.
Detection: Checks if the remote service allows to re-do the same SSL/TLS handshake (Renegotiation) over an existing / already established SSL/TLS connection.
Descriptions: The following indicates that the remote SSL/TLS service is affected:Protocol Version | Successful re-done SSL/TLS handshakes (Renegotiation) over an existing / already established SSL/TLS connection----------------------------------------------------------------------------------------------------------------------------------TLSv1.2 | 10
Soulution Type: VendorFix,
Reference: CVE-2011-1473; CVE-2011-5094; https://mailarchive.ietf.org/arch/msg/tls/wdg46VE_jkYBbgJ5yE4P9nQ-8IU/; https://orchilles.com/ssl-renegotiation-dos/; https://vincent.bernat.ch/en/blog/2011-ssl-dos-mitigation; https://www.openwall.com/lists/oss-security/2011/07/08/2

Does exist any solution for solving this problem?

Thank you,

Pavel

Labels (1)
Labels
1,290 Views
6 Replies
Chip_Matejowsky
Support
Support
‎2023-10-25 12:52 PM

Hello @Pajik3909,

What version of QlikView are your running that is being flagged on a vulnerability report from 12 years ago? If you run the currently supported versions of QlikView: May 2023 (12.80) or May 2022 (12.70), is this vulnerability flagged?

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!
1,264 Views
0 Likes
Pajik3909
Contributor II
Contributor II
‎2023-10-26 07:15 AM
Author

In response to Chip_Matejowsky

Hi,

We use these:

"Qlik Sense May 2021", version 14.20.5

"Qlik Sense Object Bundles", version 14.20.5

 

Best regards

Pavel

1,238 Views
0 Likes
Chip_Matejowsky
Support
Support
‎2023-10-26 09:49 AM

Hi @Pajik3909,

Your first response refers to Qlik Sense versions, but your second response references QlikView. Is this issue for QlikView or for Qlik Sense? Both?

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!
1,221 Views
0 Likes
Pajik3909
Contributor II
Contributor II
‎2023-10-26 10:10 AM
Author

In response to Chip_Matejowsky

Hi,

we have Qlik Sense Enterprise. First response refers to this.

best regards,

Pavel

1,217 Views
0 Likes
Chip_Matejowsky
Support
Support
‎2023-10-26 11:47 AM

In response to Pajik3909

Thanks for confirming. You opened this thread in the QlikView > App Development forum so I will move it to the Qlik Sense > Deployment & Management forum so that it reaches its intended audience.

Regarding the versions you reported - May 2021, please note that this version reached end of life for support assistance o May 10, 2023. Refer to Qlik Support article Qlik Sense Enterprise on Windows Product Lifecycle for more details. Suggest that you upgrade the Qlik Sense Enterprise instance to a supported version, such as August 2023 and see if this vulnerability is flagged.

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!
1,200 Views
0 Likes
Pajik3909
Contributor II
Contributor II
‎2023-11-07 10:36 AM
Author

Hello,

I will do update of  Qlik Sense Enterprise on Windows to version August 2023.

And we will see.

Thank you,

Pavel

1,081 Views