April 20, 2022
We are pleased to announce the immediate availability of MISP v2.4.158. This release includes a series of security fixes and as such we highly encourage everyone to update to this version as soon as possible.
Thanks to Dawid Czarnecki of Zigrin Security for the in-depth penetration test and its findings and thanks to the Luxembourg Army for financing the penetration test. This is the follow up to the Cerebrate penetration test also conducted by Zigrin Security on behalf of the Luxembourg Army, as described here.
Security fixes
Several security issues have been resolved, head over to the security page for a detailed break-down of the advisories including the associated CVEs. Whilst most of the vulnerabilities listed are mitigated by requiring compromised high privilege accounts, we nevertheless advise all users to update their instances as soon as possible.
- Phar deserialisation
- XSS in LinOTP login
- XSS in Galaxy clusters
- XSS in organisation fetchSGOrgRow
- XSS in Event graph via tags
- XSS in Cerebrate view
- Password confirmation bypass
Announcement of a silent fix of phar deserialisation RCE in a previous release (v2.4.156)
As of the previous security release (v2.4.156), based on the pentest conducted by Ianis BERNARD of the NATO Cyber Security Centre, a high criticality vulnerability was also identified. We have opted for a silent fix to the critical vulnerability whilst upgrading the announced criticality of the other security fixes included in the release.
This is an extreme measure that we take whenever we want to ensure that the community is both aware that they do need to update as soon as possible whilst not drawing attention to the actual critical vulnerability. If you have followed our guidance over the past month to update you are already safe - if you are running a MISP instance below 2.4.156 we highly encourage you to update to the latest version as soon as possible.
Custom email templates
Added the ability to override some of the standard e-mail templates with custom ones, just drop the templates mirroring the naming convention of the existing ones in /var/www/MISP/app/View/Email/text
and /var/www/MISP/app/View/Email/html
into /var/www/MISP/app/View/Email/text/Custom/
and /var/www/MISP/app/View/Email/html/Custom/
. Currently supported templates: alert, password_reset.
RestSearch improvements
Fixing a baffling oversight on our side, thanks to Tom King we can now search by sharing groups besides just distribution levels.
A long list of refactors and bugfixes
Massive thanks to Jakub Onderka for the continuous refactoring, simplifying and cleaning up of the code-base. For a full list of all the improvements that are part of this herculean effort, refer to the changelog
Acknowledgement
We would like to thank all the contributors, reporters and users who have helped us in the past months to improve MISP and information sharing at large. This release includes multiple updates in misp-objects, misp-taxonomies and misp-galaxy.
As always, a detailed and complete changelog is available with all the fixes, changes and improvements in MISP core.