Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1469
MISP 2.4.142 released - security fix
29 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: MISP
Publisher: MISP Project
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Read-only Data Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-31780
Original Bulletin:
https://www.misp-project.org/2021/04/27/MISP.2.4.142.released.html
- --------------------------BEGIN INCLUDED TEXT--------------------
https://www.misp-project.org/2021/04/27/MISP.2.4.142.released.html
MISP 2.4.142 released
MISP 2.4.142 released including many new features, a security fix and a long
list of quality of life improvements.
Correlation changes
One of the most annoying bottlenecks in how we use MISP currently is caused by
low quality correlations, both in terms of usability and having a clear view on
relevant relationships among data-points. These very often come from either
sub-optimal strategies chosen on data creation/ingestion for certain types of
attributes, but very often also on edge cases.
With the current release we've included two main tools to combat this:
Correlation exclusions
We can now remove individual values from ever correlating again, so if you come
across some typical noisy values (such as empty file hashes, registry values of
000000, internal IPs recurrinly encoded by your sandbox), you can add those to
the exclusion list.
Once added, you can execute the cleaning of the existing correlations, to
retroactively execute your exclusion rules. This is a background processed task
and depending on the amount of correlations you have may take quite some time
(it took us around 30 minutes on 25M correlations), so just fire it off and
check back later whether the job has completed.
You can also comment your reason for removing an entry. In the future we plan
on publishing community maintained default exclusion lists.
Correlation exclusion in MISP
Top correlations
List the most correlating values in your instance - in order to evaluate which
the most problematic correlations are, simply have a look at the most noisy
correlations. We've had some surprising entries in our communities, so perfect
time to do some spring cleaning.
Just hit the delete button on a correlation and it will add a rule to your
correlation exclusion list - just don't forget to run the historic cleanup from
the correlation exclusion index to remove already existing correlations
matching your newly added rules.
Server sync rule management rework
MISP server sync rule management
One of the more painful aspects of managing servers has been the historically
bad UI used to manage filter rules. This has now been completely revamped, both
with a new look but familiar look and feel as well as some clever new tools to
make it more usable.
For example, when creating pull filters, your instance will now attempt to
contact the remote instance to retrieve a list of available tags, so that you
no longer have to manually enter all of the filters when creating pull rules.
The JSON rule field allowing custom filters now also uses a handy JSON parsing
text entry, allowing you to avoid potential mistakes.
New dashboard widgets
Thanks to Jeroen Pinoy, we have some new dashboard widgets meant to give you
better oversight over how your instance is being used, showing some usage
statistics as well as tools to monitor the growth of the user base of the
community.
[evolution-]
A bunch of other fixes including security fixes
We have also a security issue (CVE-2021-31780) causing a potential misalignment
of sharing groups on synced attributes, so we highly encourage everyone to
update their MISP instance.
Besides that we have introduced a long list of quality of life improvements as
well as many fixes.
Acknowledgement
We would like to thank all the contributors, reporters and users who have
helped us in the past months to improve MISP and information sharing at large.
This release includes multiple updates in misp-objects, misp-taxonomies and
misp-galaxy . The MISP galaxy includes a major update in the Ransomware galaxy
which now includes more than 1600 documented ransomware.
As always, a detailed and complete changelog is available with all the fixes,
changes and improvements.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIo4G+NLKJtyKPYoAQhNnw//T96exc3HcOCq9dRKQ80N5zNhSuqgqUa9
2vftlPJZ3goaVda5vVdl6L3V2Fp5djXQcw9yhA+NglR6PWG7MfWoIYACz+Q8Nrdw
Pve1cjMwlNvzY6V0hdkZhO+41Ip+wa8DzWd23J/MqGvsOzEKTZRNymS6l2/0DmEc
WC+2fMT9fS0YFU5I8+BgiyU9UNPDLmsP/onqHgroOkEvzQZkHzTWVCM9OR2IqfkY
o4e8hbY+uIn4Ld/qJ/Cc/BF5loHt8OhgAOWtiiGI1Dih66PU2DQwi0J62W0j428x
ycco1KXlG7bj8DGYJNO7EyPQyn2b1wESwAJie8NX4Dw6m+t8y9hycSPg2s7+Mlbw
ir413RvbAQnI6JdPAw+EHzN5k3ZOZXeZVmxXiLN+cuYWnL0RAmwlgWIlsoiRXRd8
mJX74eCOrC7FVOd+yxesr0zLzFeM6Fx9rSSHqQpWutqoWqytT9OoXqW/vw5KWGSa
XsD44GQ1kVy5a3oj6dTb03QwZLBeuNVSwCro2gQ4Bude0cb1dDkni470CImP7sNQ
zPebjELrLM0nZGRXQNUakM9TJdl9HVOOxC6T/yhrQvCikRYXbzzje0S6fJW1/VsF
b07fuW0y1yuKDrwU6c9OK7D01v70HGuurC3pWw0Gx7awsF0AG2fxLe3gxXpiQwE3
d3uC362fGR4=
=iD8h
-----END PGP SIGNATURE-----