### #QlikSenseSecurity #DataIntegrityThreats #RemoteCodeExecution
Summary: Qlik has disclosed two critical vulnerabilities in Qlik Sense Enterprise for Windows that could allow unprivileged users to execute arbitrary commands and compromise server integrity. Immediate patching is recommended to mitigate the risks associated with these vulnerabilities.
Threat Actor: Unprivileged Users | Unprivileged Users
Victim: Qlik | Qlik
Key Point :
- Two vulnerabilities identified as CVE-2024-55579 (CVSS 8.8) and CVE-2024-55580 (CVSS 7.5) pose significant risks to Qlik Sense Enterprise for Windows.
- CVE-2024-55579 allows execution of arbitrary EXE files, while CVE-2024-55580 enables remote command execution, threatening data integrity and availability.
- Qlik advises immediate upgrades to patched versions, with specific patches available for various release dates.
- A workaround is provided for potential issues with extensions and visualizations post-upgrade, involving configuration file modifications.
Qlik, a leading provider of business intelligence and data analytics platforms, has disclosed two vulnerabilities affecting Qlik Sense Enterprise for Windows. These vulnerabilities, identified as CVE-2024-55579 and CVE-2024-55580, could allow unprivileged users with network access to compromise the server, potentially leading to remote code execution (RCE) and broken access control (BAC).
Vulnerability Details:
-
CVE-2024-55579 (CVSS 8.8): This vulnerability enables attackers to execute arbitrary EXE files on the Qlik Sense server. As stated in the advisory, “Unprivileged users with network access may be able to create connection objects that trigger the execution of arbitrary EXE files on Qlik Sense Enterprise for Windows.” This high-severity vulnerability could grant attackers extensive control over the server and its data.
CVE-2024-55580 (CVSS 7.5): This vulnerability allows attackers to execute remote commands, potentially disrupting high availability and compromising data integrity and confidentiality. The advisory warns that “Unprivileged users with network access to Qlik Sense for Windows installation may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks.”
Immediate Action Required:
Qlik urges all customers to upgrade their Qlik Sense Enterprise for Windows installations to a patched version immediately. Patches are available for a range of versions, including May 2024 Patch 10, February 2024 Patch 14, and November 2023 Patch 16. The November 2024 Initial Release is not affected by these vulnerabilities.
Mitigating Extension and Visualization Issues:
In addition to the patches, Qlik has provided a workaround to address potential issues with extensions and invalid visualizations that may arise after upgrading. This workaround involves modifying the Repository.exe.config file and restarting several Qlik Sense services. Detailed instructions are available in the official security advisory.