Thursday, January 18, 2018

Security Advisory for ELSA

Introduction
Jeffrey Medsger reported multiple Cross-Site Scripting (XSS) vulnerabilities in ELSA.

These issues are resolved in the following ELSA packages:
securityonion-elsa - 1205chartsjsd3-1ubuntu1securityonion12
securityonion-elsa-extras - 20151011-1ubuntu1securityonion58

Resolution
To resolve these issues, simply install the new ELSA packages according to our normal update instructions:
https://securityonion.net/wiki/Upgrade

Thanks
Special thanks to Jeffrey Medsger for responsibly disclosing these security issues per our Security page (https://securityonion.net/security) and for submitting patches for some of the issues!

Timeline
All times below are in Eastern time.
1/2/2018 1:19 AM - Received initial notification from Jeffrey Medsger concerning ELSA XSS vulnerabilities.
1/2/2018 6:05 PM - Confirmed receipt of email and confirmed issues.
1/3/2018 4:35 PM - Asked Jeffrey Medsger to test new packages.
1/10/2018 12:26 AM - Jeffrey Medsger confirmed original XSS issues resolved and reported additional XSS issues.
1/10/2018 1:32 PM - Confirmed receipt of email with new XSS issues.
1/12/2018 2:02 PM - Asked Jeffrey Medsger to test latest packages.
1/13/2018 4:00 PM - Jeffrey Medsger confirmed issues resolved.
1/13/2018 4:03 PM - Confirmed receipt of email and began regression testing.
1/18/2018 8:32 AM - Completed regression testing.

No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive