Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

Qlik Sense protection against POODLE/GOLDENDOODLE attack and Insecure renegotiation

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Bjorn_Wedbratt
Former Employee
Former Employee

Qlik Sense protection against POODLE/GOLDENDOODLE attack and Insecure renegotiation

Last Update:

May 12, 2021 2:48:59 AM

Updated By:

Sonja_Bauernfeind

Created date:

Nov 11, 2014 6:10:08 AM

Analyzing endpoints for Qlik Sense Enterprise on Windows, using for example https://www.ssllabs.com/ssltest/analyze.html may indicate:

  • The site being vulnerable for POODLE attacks and Insecure renegotiation
  • Certificates using SHA1 instead of SHA256 cipher
  • Potential CVE-2019-1559 vulnerability

Scan Results.png

 

Environment:

Qlik Sense Enterprise on Windows 

 

Protecting the platform

Please review Qlik Sense Enterprise on Windows securityfor information on how to protect the Qlik Sense platform. 

The security in Qlik Sense Enterprise does not depend only on the Qlik software. It also relies on the security and hardening of the environment that Qlik Sense operates in. This means that the security of, for example, the operating system and the cryptographic ciphers available have to be set up and configured to provide the security needed for Qlik Sense.

See Qlik Sense: TLS Support on what protocols and ciphers are supported in which version. 

 

Mitigate POODLE attack

To mitigate POODLE attacks, one step is to completely disable SSLv3.0 on the server. 
See Microsoft Security Advisory 3009008 for more instructions on how to accomplish this and the impact of doing so.
See Qlik Sense: TLS Support on what protocols and ciphers are supported in which version. 

 

Mitigate Zombie POODLE / GOLDENDOODLE attack

To mitigate POODLE attacks, one step is to completely disable all cipher suites with the string CBC. This needs to be carried out in the Windows OS.

 

Insecure renegotiation

Insecure renegotiation may be mitigated by disabling renegotiation. This can be done at the OS level by adding the following Windows registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"DisableRenegoOnServer"=dword:00000001


However, it is recommended to review all Schannel settings ( Secure Channel ) and that a Windows Administrator should configure it to meet their requirements.

See Qlik Sense: TLS Support on what protocols are supported in which version. 


Note: Any changes at the OS level must be thoroughly tested as they may cause other software to no longer function as expected, or clients may be unable to communicate with the server. If any side effects are experienced, the changes should be reverted back to the original settings.

Labels (1)
Contributors
Version history
Last update:
‎2021-05-12 02:48 AM
Updated by: