16 March 2020
Very recently it was announced a major node.js security vulnerability. Since then our infrastructure team has been advising and helping our customers to upgrade and patch their Qlik Sense environment to make sure this vulnerability is contained and resolved.
Quick overview of the node.js vulnerability:
|HTTP request smuggling||Using malformed Transfer-Encoding header.||HTTP desync attacks and deliver malicious payloads to unsuspecting users.|
|HTTP header values do not have trailing OWS trimmed||Sending header values with optional trailing whitespace (OWS).||Bypass security checks based on HTTP header values.|
|Remotely trigger an assertion on a TLS server||Connect to a NodeJS TLS server with a client certificate that is malformed (has a type 19 string in its subjectAltName)||The TLS server will crash if it tries to read the peer certificate.|
See further details here: https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
From Qlik perspective, is important to understand that the initial fix version is Qlik Sense February 2020 and for all the previous versions, Qlik released the following patches:
- February 2019 Patch 8;
- April 2019 Patch 8;
- June 2019 Patch 11;
- September 2019 Patch 7;
- November 2019 Patch 6;
At this stage, our recommendation at Pomerol Partners is very simple:
- All Qlik customers should upgrade their environment as soon as possible to February 2020.
If for some reason, you can’t proceed with the upgrade to February 2020, is very important that you consider applying the correct patch in against your current version.
Our infrastructure team at Pomerol Partners is ready to help and support your Qlik team in the various simple tasks to the most complex tasks, such as:
- Managing the environment on Premise or Cloud;
- Environment Architecture & Scalability;
- Upgrades and Patches;
- Monitoring and Analysing the Environment Usage;
- Backups & System Recoveries;
If you need any help or any advice, don’t hesitate in contact us to email@example.com and we will work closely with you to find the best answer to your question or concern.