[Intelmq-users] IntelMQ Manager 2.1.1 Security Bugfix Release

Sebastian Wagner wagner at cert.at
Mon Apr 27 21:59:26 CEST 2020


Dear community,

The newest IntelMQ Manager release 2.1.1 fixes a critical security bug.
Please never run the IntelMQ Manager without proper authentication in place!

Installation instructions:
https://github.com/certtools/intelmq-manager/blob/2.1.1/docs/INSTALL.md

Bernhard Herzog (Intevation) discovered that the backend incorrectly
handled messages given by user-input in the "send" functionality of the
Inspect-tool of the Monitor component. An attacker with access to the
IntelMQ Manager could possibly use this issue to execute arbitrary code
with the privileges of the webserver.

Updated deb/rpm-packages are already available in the repositories.

Other changes:

 ### Backend
- Fix misspelling of the environmental variable
`INTELMQ_MANGER_CONTROLLER_CMD` to `INTELMQ_MANAGER_CONTROLLER_CMD` (an
'a' was missing).
- Fix handling of POST variable `msg` of the message-sending
functionality available in the Inspect-tool.

 ### Pages
 #### Monitor
- Fix running commands with the "inspect" widget by fixing the
definition of the `CONTROLLER_CMD` in the template (PR #194).

 ### Documentation
- Update supported operating systems in Installation documentation (i.a.
PR #191).

 ### Known issues
* Missing CSRF protection (#111).
* Graph jumps around on "Add edge" (#148).
* wrong error message for new bots with existing ID (#152).
* `ALLOWED_PATH=` violates CSP (#183).
* Monitor page: Automatic log refresh reset log page to first one (#190).

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-users/attachments/20200427/06181484/attachment.sig>


More information about the Intelmq-users mailing list