Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-47544: Release Notes :: SIREN DOCS

An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.

CVE
#nodejs#js#pdf#sap

New features

Custom record views

You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.

Reporting

Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.

Filter to dashboard

You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.

Security fixes

  • Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.

  • Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.

  • Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.

  • Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.

Breaking Changes

Saved objects

  • The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.

Migration to Babel 7

  • Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.

Deprecations

Discover

  • The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.

Improvements

Auditing

  • Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.

Data model

  • Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.

  • Improved the performance of the relations tab with a high number of relations.

  • Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.

  • When transforming data it is now possible to test the transformation against any of the sample source documents.

Dashboard

  • It is now possible to use a visual date/time picker when creating filters on date fields.

  • When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a Save and return button.

  • The tooltips showing data model explanations on 360 Dashboards are now enabled by default.

  • Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.

  • Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.

Record Table

  • Added options to rearrange the columns of the table to the column context menu.

Record view

  • It is now possible to use a visual date/time picker when editing date fields.

  • It is now possible to add multiple values to a field when editing a document in the record view.

Graph Browser

  • Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.

  • Added explicit drag and drop handles to the lens listing.

  • Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.

Relational Navigator

  • Added a configuration option that allows you to group relations having the same label into a single button.

  • Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.

  • Removed the automatic capitalization of relation links.

Development

  • The EUI library dependency has been upgraded to version 34.6.0 .

Bug fixes

Auditing

  • Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.

  • Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.

Data Model

  • Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.

  • Suppressed an unnecessary warning which was appearing after saving changes to a child search.

  • Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.

Graph Browser

  • Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.

  • You can now use custom icons in node glyphs.

  • Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.

  • Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.

  • Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.

  • Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.

  • Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.

  • Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.

Enhanced Coordinate Map

  • Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.

Scripting

  • Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.

Record Table

  • Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.

Dashboard

  • Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.

  • Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.

  • The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.

Miscellaneous

  • Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.

  • Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.

Related news

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

Red Hat Security Advisory 2022-8524-01

Red Hat Security Advisory 2022-8524-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Issues addressed include cross site scripting and denial of service vulnerabilities.

RHSA-2022:8524: Red Hat Security Advisory: Red Hat Data Grid 8.4.0 security update

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-23647: prismjs: improperly escaped output allows a XSS * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-38749: snakeyaml: Uncaught exception...

Red Hat Security Advisory 2022-6835-01

Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.

RHSA-2022:6835: Red Hat Security Advisory: Service Registry (container images) release and security update [2.3.0.GA]

An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...

Red Hat Security Advisory 2022-6429-01

Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.

RHSA-2022:6429: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28500: nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions * CVE-2021-23337: nodejs-lodash: command injection via template * CVE-2022-0512: nodejs-url-parse: authorization bypass through user-controlled key * CVE-2022-0639: npm-url-parse: Authorization Bypass Through User-Controlled Key * CVE-2022-0686: npm-url-parse: Authorization bypass thr...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907