Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.Join Us
How Severe is this issue?
Uncontrolled access to files on a server is a breach of security and this category of vulnerability is rated as “high” by the industry.
In practice the severity depends on the privilege levels of existing users, what other information is held on the server, how sensitive the data in their Qlik Applications are etc.
There is a level of effort required to exploit this vulnerability – it’s not something a regular user would come across during regular product usage.
Ultimately each customer must decide the risk for themselves depending on their unique circumstances.
Can anyone abuse this?
For QSE, any legitimate user (i.e. someone with the ability to view a Qlik Application) can retrieve file data from the server that the Engine component is running on. For QlikView Server, the user additionally requires the ability to create or change objects.
Are all nodes in a Qlik deployment vulnerable?
All nodes on a Qlik Sense or QlikView Server running a Qlik Engine are vulnerable.
Are all files on a Qlik Sense or QlikView server vulnerable?
No, only files that meet the following criteria:
Text files are vulnerable (binary files can be accessed, but not read in their entirety, the file content is interpreted as characters, thereby exposing those characters that can be read to be exposed).
The file must be readable by the Qlik Engine service account user as per OS authorization permissions. This includes files not stored on the physical disks of server, including network shares that the Qlik Engine service account has permissions to access.
Additionally, the attacker is not able to list the files on the server - to retrieve a file they must know (or be able to guess) the full name and path of the file. Wildcards and relative paths cannot be used.
What security privilege will the attacker have?
The same security privilege as the Qlik Engine Service account.
Can the attacker modify or change any files on the Qlik server?
No. Files can be read but they cannot be altered or deleted.
Do we have to upgrade to mitigate?
Yes. Update to a Service Release or patch as described in SB: Improper Access Control Issue in QlikView Server and Qlik Sense Enterprise.
When should we upgrade?
As soon as possible.
Is there a workaround?
No unfortunately there are no mitigations that Qlik can suggest and we recommend an upgrade as soon as possible.
Which component does this affect?
The vulnerability is in the Engine component / QVS.
Is it enough to upgrade the component affected?
We recommend the customers to upgrade all components to the same version.
Is there a way we can track back in logs to determine if the vulnerability has been abused by any user?
Unfortunately, we do not have a default tool to get this information. However, if your implementation has additional monitoring or logging enabled on your Qlik servers, and it is tracking which processes and accounts access which files. Then you will be able to see that the Service Account would be accessing files not normally accessed. That capability would need to have been previously enabled for these actions to have been tracked.
How critical is it? Is it something customers should implement immediately, or can they wait for the next maintenance window?
This is viewed as High (CVSS score of 8.2/10), since it’s possible to gain unauthorized access to files that you otherwise wouldn’t have access to.
Is the vulnerability mitigated if section access is in place?
This is not mitigated with section access.
Is the situation “better” in a multi-node environment where data related files are located on a different server than the QV or QS servers?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.Submit a case
Experiencing a serious issue, please contact us by phone. View phone numbers and hours by region.