Urgent Security Flaws in Qlik Sense for Windows – Patches Released to Prevent Exploitation
Qlik has identified severe security vulnerabilities in Qlik Sense Enterprise for Windows, which could allow remote code execution (RCE) and unauthorized access to system resources. These flaws, discovered through internal security testing, could potentially compromise the integrity and confidentiality of your system. Users are urged to upgrade to the latest patched versions to protect their systems from exploitation. A workaround is also available for extension and visualization issues. Read more about the details of the vulnerability and how to secure your system.
Urgent Security Vulnerabilities Found in Qlik Sense for Windows – Immediate Updates Required
Qlik has recently discovered critical security flaws in its Qlik Sense Enterprise for Windows software, which could allow attackers to execute arbitrary code remotely, posing a significant risk to users. These vulnerabilities, uncovered during Qlik’s internal security testing, threaten the integrity of the systems running this software, potentially leading to a complete system compromise.
Although no reports of these vulnerabilities being exploited in the wild have been received, Qlik strongly advises all users to apply the latest security patches to avoid potential attacks. The flaws could allow unauthorized access to servers and, in the worst case, permit attackers to control the system remotely.
Key Vulnerabilities Identified:
-
Remote Code Execution (RCE) via Connectors
- Severity: High (CVSS 8.8)
- Details: Users with network access and no elevated privileges could potentially create connection objects that trigger the execution of unauthorized executable files. This would allow attackers to run arbitrary commands on affected systems, severely compromising their security.
-
Broken Access Control (BAC)
- Severity: High (CVSS 7.5)
- Details: Unprivileged users who can access the Qlik Sense installation over the network may be able to execute remote commands. This could lead to a significant loss of system availability, as well as breaches of data confidentiality and integrity.
Affected Software Versions
All versions of Qlik Sense Enterprise for Windows prior to the following patches are vulnerable:
- May 2024 Patch 9
- February 2024 Patch 13
- November 2023 Patch 15
- August 2023 Patch 15
- May 2023 Patch 17
- February 2023 Patch 14
Immediate Action Required
Qlik has released patches addressing these vulnerabilities. Users should immediately upgrade to one of the following secure versions:
- November 2024 Initial Release
- May 2024 Patch 10
- February 2024 Patch 14
- November 2023 Patch 16
- August 2023 Patch 16
- May 2023 Patch 18
- February 2023 Patch 15
To apply the updates, visit Qlik’s official Download page (customer login required). Ensuring that your system is up-to-date with these patches is essential to avoid potential exploitation.
Mitigating Extension and Visualization Issues
In addition to the security updates, Qlik has provided a workaround for those encountering errors related to extensions and visualizations. If you're facing issues with visualizations, apply the following steps:
- Stop the Qlik Sense Repository service.
- Modify the Repository configuration file (located at C:\Program Files\Qlik\Sense\Repository\Repository.exe.config) to add a new key in the
section:
<add key="VisualizationExtensionsExtractFilter" value="md|css|js|json|pdf|png|qext|txt|html|htm|gif|jpg|jpeg|wbl|otf|ttf|woff|woff2|eot|svg|bmp|mp3|jp2"/>
3 .Save the file and restart the following services:
-
- Qlik Sense Repository Service
- Qlik Sense Printing Service
- Qlik Sense Scheduler Service
- Qlik Sense Engine Service
- Qlik Sense Proxy Service
This workaround can be applied either before or after the security update and has been confirmed to resolve extension-related issues on all patches released on December 4, 2024. The November 2024 release is unaffected by these specific issues.
Conclusion
The identified vulnerabilities in Qlik Sense Enterprise for Windows present significant security risks that could allow attackers to execute remote commands and compromise sensitive data. To prevent potential exploitation, users must promptly update their systems to the latest secure versions. For any assistance during the update process, Qlik Support is available to help.