Some of you may have seen Qlik's announcements here and here about the release of security patches for Qlik Sense on-prem. This does not affect Qlik Sense Cloud or Data Integration products and updates are commonplace (e.g. Microsoft's May 2024 Patch Tuesday) and show an active focus on security.
How serious is this?
This will vary depending on your organisation and architecture. At the moment there are no reports of the issue being exploited "in the wild" - however, after previous similar bulletins we have seen exploits emerge quickly.
The vulnerability is described as "a remote attacker with existing privileges is able to elevate them to the internal system role, which in turns allows them to execute commands on the server". It appears that because an attacker would need existing access, the severity is 8.8 High, unlike previous security patches that were rated 9.2 Critical. So not as serious but still worth paying attention to.
Things to consider that may increase your risk of being affected by this issue would include:
-
Having public-facing Qlik Sense servers
-
Having internal users that might be motivated to be malicious
-
Having a requirement for high availability or security
How can we prevent it affecting us?
Patches have been issued for all supported versions of Qlik Sense on-prem which means back to May 2022. The (very recent) May 2024 initial release has the fix included.
If you're on a version of Qlik Sense that has a patch available (May 2022 onwards) then we would recommend applying that as soon as possible. Patches are generally quick to apply - often taking just a couple of minutes.
If you're on an older version of Qlik Sense then we would recommend you plan an upgrade - not just for this security patch but also to get you on a supported version. Upgrades take longer than patches so you'll need to allow for a bigger outage. With the May 2024 release being very recent, we'd recommend the latest Feb 2024 patch if you're doing the upgrade in May - this mitigates the risk of any issues arising with the initial release. Beyond May, it would be worth considering the May 2024 release for all the new features.
In any case you should still make sure you have a rollback plan, including at least one backup.
How can Ometis help?
For those of you on our Premier Support offering, patches and upgrades are included so just get in touch and we can look to book it in.
If you're on our other support packages - or no support at all (e.g. if you buy your licences elsewhere) - then please get in touch and we can quote for performing the upgrade for you and/or provide some additional information.
Either way, a good place to start is emailing support@ometis.co.uk or your Ometis account manager.
Follow me on LinkedIn to get announcements and information about all things Qlik and data. You can also subscribe to the "Security Notice" label in Qlik Community to see when Qlik post about security issues like this.
Comments