Security Alert: Qlik releases patches and fix for Qlik Sense Node.js vulnerability
Qlik has released a new round of patches for the Qlik Sense product suite, including one to fix a recently surfaced security vulnerability with Node.js.
We highly recommended that all Qlik Sense versions be upgraded to take advantage of this security fix. You can find your Qlik Sense version from the Hub under the “About” menu, or from the QMC on the bottom right of the main screen.
Note: Depending on your version, this patch may require the Qlik Sense Root Certificate to be recreated. Please watch this video and reference these support articles for information related to recreating your Qlik Sense certificate:
As always, before performing any upgrades, make sure you have a good backup of your environment before attempting the upgrade.
If you have questions, or would like Solve to assist with this important set of patches and security fix, you can reach our Qlik Support Desk at email@example.com or by phone at 866-757-2404 (choose Option 2).
Which initial version of Qlik Sense is the vulnerability addressed in?
The initial fixed version is February 2020. All versions going forward will have the fix included.
Which Qlik Sense patches address the vulnerability?
The following patches address the vulnerability:
- February 2019 Patch 8
- April 2019 Patch 8
- June 2019 Patch 11
- September 2019 Patch 7
- November 2019 Patch 6
- Any additional patches in these tracks will also include the fix.
Do I need to upgrade?
Yes, you will need to upgrade.
When do I need to upgrade?
As soon as possible. Please refer to best practices when upgrading (see Patching Qlik Sense)
What happens if I don’t upgrade?
Qlik will not take responsibility for any security breach within your environment.
How do I do upgrade?
Please see Patching Qlik Sense on the Help site for specific steps. It’s important to note the additional steps for recreating the certificates due to the Node.js vulnerability. Use the following materials for more guidance on recreating the certificates:
- Recreating the Qlik Sense Root Certificate (Root CA): Using Powershell scripts to recreate the certificates (preferred method)
- Manually Recreating The Qlik Sense Root CA: Manually recreating the certificates
- Qlik Fix: How to Recreate or Delete Certificates in Qlik Sense
If I run the Powershell script and it fails, how do I recover/proceed?
We are quite confident the Powershell script for recreating the certificates (see Recreating the Qlik Sense Root Certificate (Root CA) ) will run smoothly. However, should any issues arise, please try manually recreating the certificates (Manually Recreating The Qlik Sense Root CA). If there are any other issues or questions, please contact Qlik Support.
How do I confirm the Powershell script for recreating the certificates ran successfully?
Check the certificate using the C2 Validator confirm the certificate is good once the certificate has been recreated.
Do I need to recreate the Qlik Sense certificates?
If the initial version that Qlik Sense was installed with was prior to June 2019, then yes, the certificates need to be recreated. Please see the release notes for more information:
- February 2019 Patch 8 Release Notes
- April 2019 Patch 8 Release Notes
- June 2019 Patch 11 Release Notes
- September 2019 Patch 7 Release Notes
- November 2019 Patch 6 Release Notes
Why do I need to recreate the Qlik Sense certificates?
For the new version of Node.js to be compatible with Qlik Sense, the Qlik Sense certificates need to be recreated.
What version(s) should I apply if I am looking to upgrade to a more recent version?
We recommend upgrading to the latest version. However, we know that is not always possible. Regardless of the track you upgrade to, you will first need to apply the Initial Release (IR) then apply the latest patch for that track. Example: If you’re currently on June 2019 Patch 10 and would like to upgrade to the November 2019 track, you will need to apply November 2019 IR first then apply November 2019 Patch 6.
I have recreated my certificates. Do I need to update the certificates anywhere else?
You will also have to replace Qlik Sense root certificate with the newly created one if 1) your Qlik Sense deployment is connected with Qlik NPrinting, Qlik multi-cloud setups or any other external tools or configurations, or 2) you have configured QlikView Distribution Service for distribution of links to QlikView documents to the Qlik Sense hub.