ESB-2018.1762 - [Linux] MISP: Cross-site scripting - Remote with user interaction 2018-06-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1762
           Cross-site scripting vulnerabilities patched in MISP
                               14 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           MISP
Publisher:         MISP
Operating System:  Linux variants
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-11562 CVE-2018-11245 

Original Bulletin: 
   http://www.misp-project.org/2018/06/07/MISP.2.4.92.released.html

- --------------------------BEGIN INCLUDED TEXT--------------------

MISP - Open Source Threat Intelligence Platform &
Open Standards For Threat Information Sharing

MISP 2.4.92 released (aka performance improvement)

Posted 07 Jun 2018

A new version of MISP 2.4.92 has been released including aggressive performance
boosts, various improvements and bug fixes.

We received feedback from various users about the negative impact on
performance when the MISP warning-lists are enabled (a feature allowing the
detection and filtering of false positive attributes in MISP). The performance
hit incurred by enabling warning-lists has been reduced to such an extend that
enabling them will barely have any impact on performance when viewing or
browsing events. We hope this performance gain will increase the overall
adoption of the warning-lists.

A benchmarking tool has been added to the AppModel allowing us to easily spot
performance issues across the application. Aggregate execution time, number of
iterations and peaked memory usage can be easily spotted in order to facilitate
rapid and accurate profiling of the performance across the various
functionalities of MISP.

The API has been improved to allow objects to be added by template UUID and
version in addition to the local ID.

A new role permission to publish to the ZMQ pub-sub channel has been added (as
kindly requested by our favorite user, who regularly motivates us by sending
decapitated horse heads if we slack). This role allows administrators to enable
or disable ZMQ publishing per user.

The flash message system has been rewritten from scratch, providing a cleaner
approach that relies on bootstrap?s internal flash messaging look and feel,
along with 3 different levels of notifications.

Allow hard deleting of attributes that were never published in order to avoid
the leaking of sensitive information via soft deleted attributes.

Two security vulnerabilities were fixed: CVE-2018-11245 and CVE-2018-11562.
Thanks to the reporters Jarek Kozluk from zbp.pl and Dawid Czarnecki. Don?t
hesitate to contact us for reporting vulnerabilities, we love those
contributions.

The STIX 1 and STIX 2 exports and imports were migrated to Python 3
(don?t forget to update the dependencies). The STIX 1 export has     port and
been improved to include additional objects such X.509 certificate   custom
and MISP objects. The STIX 1 import has been improved for email,     object
whois, and artifact objects along with tags via journal entries. The export.
STIX 2 export has improved regkey object parsing, along with ip

The full change log is available here. PyMISP change log is also available.

A huge thanks to all the contributors who helped us to improve the software and
also all the participants in MISP training which always give intere PyMISP has
been also updated, boasting a more clever approach to timestamp handling while
updating MISP JSON files. The PyMISP documentation has been updated PDF. MISP
standard Internet-Drafts have been updated and published.

MISP galaxy, objects and taxonomies were notably extended by many contributors.
These are also included by default in MISP. Don?t forget to do a git submodule
update and update galaxies, objects and taxonomies via the UI.

Don?t forget that the MISP Threat Intelligence Summit 0x4 will take place the
Monday 15th October 2018 before hack.lu 2018. A Call-for-Papers is open for the
MISP Threat Intelligence Summit 0x4. We would be glad to see users,
contributors or organisations actively using MISP or/and threat intelligence to
share their experiences and presentation to the CfP.

Get In Touch

MISP is a community-driven project lead by the community of users.

You can get in touch with the MISP core team at the following email:
info@misp-project.org

  * c MISP project. Software released under the AGPL license and content
    released as CC-BY-SA.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWyHnpmaOgq3Tt24GAQhwjQ/7BRmG7o86Epwn1NwfWuBfLP0EmCI80LH7
IS6px0pn11RJVGWppMclNxBl2Q3+9UO1fgl3tyzYft+T8utXKZtnRiVIRw2YgoRs
8Vk+XdEECB3GUuIX0vHEFNLHPtoEeFXS5kubT9g6BdKPsXq2qmET5EzSHBt5CctV
156dx+YB4nkjInFoDNU0iLJ6jh4EutIzPlo15poNTZO0+u9fikAloG7Lw2ovUwsz
XqLOAg1KQBTsbgf8lPCz/oK6d3uY3SNqGA/QFW/DruOMdnN/HDSG9wLF8pgXMkKY
ZZVuOl0wXn7osKsSUcd9dAcuLXHlxxq12dZp9mqBgdLDmMRMSppq0/hD/Sd7UBjP
/XAaxyy2K9owRPRyVcLPXtFWSGAu2a8XtckRrxCulIsKOkos377ZJeVuyMowBY+K
y2exAf+mkHkt/IEeuRci/9a+lIVDJIvhmCNEQSG+eGiJCgwGxdte8K7zKUNKMq55
vkJUqPOou7VwSbOfjArEtuM84TgkfY7dYAsB1oLBy0gLM56dNPbq2E3xGWqhIGcG
lGhpwjFflG/qIn/eIA1hK9naulg0KTWhe528RXOHgFtHIyCr6KX4Vxkbv1Ykiepn
bokkh858l5UjZZmXUUqQNeB80df7/wNUveTASiiQskCBC7nOVFGKR8fxR4CYu45p
HBcp0LBXHuY=
=edxD
-----END PGP SIGNATURE-----

« Back to bulletins