Tuesday, January 23, 2018

Security Advisory for Squert

Introduction
Jeffrey Medsger reported several command injection and SQL injection vulnerabilities in Squert.  Wes Lambert also discovered some XSS vulnerabilities in Squert.

These issues are resolved in the following package:
securityonion-squert - 20161212-1ubuntu1securityonion26

Resolution
To resolve these issues, simply install the new Squert package according to our normal update instructions:
https://securityonion.net/wiki/Upgrade

Release Notes
If you start seeing "Prepared statement needs to be re-prepared" in /var/log/apache2/error.log, please see the following:
https://github.com/Security-Onion-Solutions/security-onion/wiki/MySQLTuning#table_definition_cache

Thanks
Special thanks to Jeffrey Medsger for responsibly disclosing these security issues per our Security page (https://securityonion.net/security) and for submitting patches for some of the issues!

Timeline
All times below are in Eastern time.
12/31/2017 6:22 PM - Received notification from Jeffrey Medsger concerning Squert command injection vulnerabilities.
12/31/2017 6:43 PM - Confirmed receipt of email.
1/1/2018 2:47 PM - Asked Jeffrey Medsger for clarification on some details.
1/2/2018 1:19 AM - Jeffrey Medsger provided additional details and reported additional SQL injection issues.
1/2/2018 6:05 PM - Confirmed receipt of email.
1/3/2018 4:35 PM - Asked Jeffrey Medsger to test new package to confirm it resolves command injection vulnerabilities.
1/6/2018 2:09 AM - Jeffrey Medsger confirmed command injection issues resolved.
1/8/2018 2:05 PM - Asked Jeffrey Medsger to test new code to confirm it resolves SQL injection vulnerabilities.
1/9/2018 9:14 PM - Jeffrey Medsger confirmed SQL injection issues resolved but reported unrelated error messages.
1/9/2018 9:19 PM - Confirmed error messages.
1/10/2018 1:32 PM - Asked Jeffrey Medsger to test new code to confirm it resolves error messages.
1/11/2018 12:25 AM - Jeffrey Medsger confirmed all issues resolved.
1/11/2018 4:44 PM - Confirmed receipt of email.
1/12/2018 8:00 AM - Began working on packaging to support both Elastic and non-Elastic systems.
1/20/2018 8:02 AM - Completed packaging.
1/22/2018 8:00 AM - Started regression testing.
1/23/2018 8:57 AM - Completed regression testing.

at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.