Thursday, January 18, 2018

Security Advisory for ELSA

Introduction
Jeffrey Medsger reported multiple Cross-Site Scripting (XSS) vulnerabilities in ELSA.

These issues are resolved in the following ELSA packages:
securityonion-elsa - 1205chartsjsd3-1ubuntu1securityonion12
securityonion-elsa-extras - 20151011-1ubuntu1securityonion58

Resolution
To resolve these issues, simply install the new ELSA packages according to our normal update instructions:
https://securityonion.net/wiki/Upgrade

Thanks
Special thanks to Jeffrey Medsger for responsibly disclosing these security issues per our Security page (https://securityonion.net/security) and for submitting patches for some of the issues!

Timeline
All times below are in Eastern time.
1/2/2018 1:19 AM - Received initial notification from Jeffrey Medsger concerning ELSA XSS vulnerabilities.
1/2/2018 6:05 PM - Confirmed receipt of email and confirmed issues.
1/3/2018 4:35 PM - Asked Jeffrey Medsger to test new packages.
1/10/2018 12:26 AM - Jeffrey Medsger confirmed original XSS issues resolved and reported additional XSS issues.
1/10/2018 1:32 PM - Confirmed receipt of email with new XSS issues.
1/12/2018 2:02 PM - Asked Jeffrey Medsger to test latest packages.
1/13/2018 4:00 PM - Jeffrey Medsger confirmed issues resolved.
1/13/2018 4:03 PM - Confirmed receipt of email and began regression testing.
1/18/2018 8:32 AM - Completed regression testing.

No comments:

Search This Blog

Featured Post

Security Onion 2.4.50 now available including some new features and lots of bug fixes!

Security Onion 2.4.50 is now available! It includes some new features for our fellow defenders and lots of bug fixes! https://docs.securityo...

Popular Posts

Blog Archive