CVE-2024-55579 & CVE-2024-55580: Qlik Sense Users Face Serious Security Risk

CVE-2024-55579 & CVE-2024-55580

Qlik, a leading provider of business intelligence and data analytics platforms, has disclosed two vulnerabilities affecting Qlik Sense Enterprise for Windows. These vulnerabilities, identified as CVE-2024-55579 and CVE-2024-55580, could allow unprivileged users with network access to compromise the server, potentially leading to remote code execution (RCE) and broken access control (BAC).

Vulnerability Details:

  • CVE-2024-55579 (CVSS 8.8): This vulnerability enables attackers to execute arbitrary EXE files on the Qlik Sense server. As stated in the advisory, “Unprivileged users with network access may be able to create connection objects that trigger the execution of arbitrary EXE files on Qlik Sense Enterprise for Windows.” This high-severity vulnerability could grant attackers extensive control over the server and its data.

  • CVE-2024-55580 (CVSS 7.5): This vulnerability allows attackers to execute remote commands, potentially disrupting high availability and compromising data integrity and confidentiality. The advisory warns that “Unprivileged users with network access to Qlik Sense for Windows installation may be able to execute remote commands that could cause high availability damages, including high integrity and confidentiality risks.”

Immediate Action Required:

Qlik urges all customers to upgrade their Qlik Sense Enterprise for Windows installations to a patched version immediately. Patches are available for a range of versions, including May 2024 Patch 10, February 2024 Patch 14, and November 2023 Patch 16. The November 2024 Initial Release is not affected by these vulnerabilities.

Mitigating Extension and Visualization Issues:

In addition to the patches, Qlik has provided a workaround to address potential issues with extensions and invalid visualizations that may arise after upgrading. This workaround involves modifying the Repository.exe.config file and restarting several Qlik Sense services. Detailed instructions are available in the official security advisory.

Related Posts: