We just updated Qliksense to Aug 2022 patch13 as per recommended fix and now there is another one. It takes time to plan downtime and upgrade in production cluster. Did we not test end to end before prior patch? Will it be now permanent fix? 

Hello,

At Differentia Consulting we service hundreds of customers from a Qlik Support perspective, and clearly Qlik thousands.  The issue is not so much Qlik, but the bad actors and risks that need to be addressed, coupled with individual organisation security compliance for things such as ISO, and in the UK Cyber Essentials Plus accreditation compliance.

What Qlik does state is that the risk is one that is made real when the Qlik server is exposed to the public domain and thus providing an attack surface, or vector, for bad actors to do their worse. What you can do to help mitigate the risk is to not expose your IP address of your Qlik servers. Using reverse proxy and zero trust solutions such as OpenZiti (which we use, and sell).  These do not make the problem go away-entirely, they simply reduce the risk.  OpenZiti Zero Trust totally obfuscates the IP address of the server and access to it unless you have end to end approval to do so, which OpenZiti grants (without performance degradation).  

Given that Qlik (and others) can only patch known risks, we are all exposed, all of the time, to unknown risks. An obvious statement, but one where you have to ask yourself do you actually need your Qlik server IP to be in the public domain? 

Patching should be done weekly across all systems, including Qlik, for compliance. Testing is always an issue, but I would rather risk a functionality issue (very rare) over a security issue (common). That said, being pragmatic we would not recommend upgrading to any Qlik .0 releases, instead wait for SP2+ before doing so, unless tested.

Your security posture ie striking the right balance and staying compliant is hard, and compliance can be costly. This is just one of the many benefits of porting to Qlik Cloud, no server maintenance. Just a thought.

Best always is to imagine how you would feel if Qlik was the source of a network cyber attack and work from there.  FYI Many of our clients have had enterprise wide attacks, always from hacked software vendor software updates.  Given that we aim to deploy Qlik with security air gaps , then Qlik has been the saviour to help those organisations return to the last known state. As well as effect client communication. Qlik can actually help with reputational damage-limitation during and the days (and months) after a cyber attack. Something that I have written about many times. Qlik Cloud? :

Hope my ramblings help with perspective.

@Lokeshb31 This addresses a different issue from the last patch. I assume Qlik didn't know about this additional issue at the time of working on the previous patches or was unable to develop a fix in time. Whilst it would be nice not to have to patch twice in a month, I don't think this is a failure in testing, just a sign that someone (Praetorian) is taking a close look at the security of Qlik Sense which is leading to improvements for all of us - it's actually good news! 

That's my take on it anyway!

Never Mind! In fact its good that Praetorian identified this additional issue however I just hope there will not be any more in line. My request to Qlik is to confirm thoroughly and provide additional guidelines to customers accordingly since any upgrade involves effort estimation, approvals, dependencies, backups, change management, testing, sing off etc.  

Hello @Lokeshb31 Alex has summarised the situation well. Can you let me know what exact guidelines you are looking for? 

All the best,
Sonja 

@Lokeshb31 Sing off? Your change management process sounds way more fun than mine!

I replied to another thread on this subject about the real threat/risk, the exposing of of Qlik servers with public facing IP addresses. Which basically exposes the front door (attack surface) to would-be hackers (do a search on your favourite search engine and you can find them).  IMO Clients need to use a reverse proxy service as a minimum (such as Cloudflare's), or better still adopt full IP obfuscation using a ZeroTrust solution like OpenZiti (which we use for all client engagements, and sell-as well as it being open source, as it protects all connected services). 

The US Government is mandating the use of zero trust solutions to all its IT service suppliers by March 2024.

Note: Many clients use legacy hardware based VPNs which have many associated issues relating to performance and if hardware based create yet another attack vector, and costly - so not ideal.

The above does not avoid the need to patch, simply reduces the risk. I also mentioned that IMO again it is better to patch then test, than test and patch, illogical I know, provided that Qlik software is at least at SP2 there should be no issue and if there is you have P1 support from Qlik.  Patches however should have no impact on functionality.

Look at it this way: I would rather explain broken functionality than have to explain why the business had an attack.

Many IT professionals need to work more pragmatically with their security teams, again IMO to get used to the new patching cadence that should be expected from all on-premise vendor software. And do please get those domains obfuscated with the right Zero Trust solution.

If it is not for you, then there is Qlik Cloud 🙂 

@Sonja_Bauernfeind : Guidelines about vulnerability testing if any or I would sync up with our security team and get it done. I just hope there will not be any additional round of patching or VRR after this one.

@SimonMinifie : We need to install any patch in non-prod first and take business sign off post testing. 

@parkeg : Thanks for details.

I can submit this to support, but Is anyone else seeing version number differences in the QMC and the Hub after applying May 2023 Patch 6 (14.129.12)?  The qmc shows patch 6 and the hub shows patch 5 for version.

Hello @jeremyseipel 

Let me test this for you. 

All the best,
Sonja