Headline
CVE-2022-47544: Release Notes :: SIREN DOCS
An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.
New features
Custom record views
You can now create custom views for your documents in the Overview tab of the Record View by writing template scripts. Learn more.
Reporting
Template scripts can also be used to generate reports from Elasticsearch documents in many different formats (PDF, HTML, Word and more) through integration with jsreport. Learn more.
Filter to dashboard
You now have the option to apply the filters from one dashboard to another dashboard associated to the same entity table. Learn more.
Security fixes
Upgraded Node.js to version 14.19.1. For the full list of fixes, see the 14.19.1 changelog.
Upgraded url-parse to version 1.5.9 to address CVE-2022-0691.
Upgraded prismjs to version 1.27.0 to address CVE-2022-23647.
Upgraded moment to version 2.29.2 to address GHSA-8hfj-j24r-96c4.
Breaking Changes
Saved objects
- The index-pattern saved object type has been removed; the methods that were previously exposed by IndexPattern instances are now part of the SavedSearch interface.
Migration to Babel 7
- Siren Investigate is now built with Babel 7; if you made any custom plugin it is recommended to test it on a pristine Siren Investigate 12.1 instance before upgrading.
Deprecations
Discover
- The Discover application has been deprecated and will be removed in a future release. The buttons to create and save child searches from the Discover application have been removed.
Improvements
Auditing
- Added a configuration option that allows customization of the Elasticsearch fields to be put in data export audit log entries. Learn more.
Data model
Enabled granular editing of relations in the Relations tab. When saving or deleting a relation the changes will now be applied immediately.
Improved the performance of the relations tab with a high number of relations.
Added a button to aggregate multiple relations between two entities into a single link showing the number of relations. In this mode, the individual relation names are displayed in a tooltip.
When transforming data it is now possible to test the transformation against any of the sample source documents.
Dashboard
It is now possible to use a visual date/time picker when creating filters on date fields.
When editing a visualization on a dashboard, you can now save it and return immediately to the dashboard by clicking on a Save and return button.
The tooltips showing data model explanations on 360 Dashboards are now enabled by default.
Modified 360 Dashboards to include documents from both the target and the source entity when self relations have the same label in both directions.
Replaced the graph based widget to pick relations in the 360 Dashboard data model configuration with a simpler dropdown based widget.
Record Table
- Added options to rearrange the columns of the table to the column context menu.
Record view
It is now possible to use a visual date/time picker when editing date fields.
It is now possible to add multiple values to a field when editing a document in the record view.
Graph Browser
Links that represent self relations on the same field are now automatically hidden when the source and the target are the same node.
Added explicit drag and drop handles to the lens listing.
Added an option to the Node to edge by fields lens configuration that allows you to automatically expand intermediate nodes when creating edge links.
Relational Navigator
Added a configuration option that allows you to group relations having the same label into a single button.
Modified the relation links to include documents from both the target and the source entity when self relations have the same label in both directions.
Removed the automatic capitalization of relation links.
Development
- The EUI library dependency has been upgraded to version 34.6.0 .
Bug fixes
Auditing
Fixed an issue that caused data requests initiated by the Graph Browser to be classified as count requests.
Fixed an issue that caused dataExport requests to be assigned to the HOME dataspace instead of the current one.
Data Model
Fixed an issue that prevented child searches from inheriting the search query and filters from their parent.
Suppressed an unnecessary warning which was appearing after saving changes to a child search.
Fixed an issue in the data import flow that caused leading zeroes in fields to be automatically stripped.
Graph Browser
Fixed an issue that caused nodes created by a time/location lens to not disappear when disabling the lens.
You can now use custom icons in node glyphs.
Fixed an issue that could cause a node to edge lens to not be applied automatically when adding nodes to the graph.
Fixed an issue that could cause a fatal error when switching between two dashboards with a Graph Browser visualization in map mode.
Fixed an issue that would cause all the nodes to be expanded when no checkbox was selected in the expansion dialog.
Adjusted the formula to determine the size of nodes at high zoom levels to minimize overlapping.
Fixed an issue that prevented the deletion of edges created by Node to edge by fields lens instances.
Fixed an issue that prevented opening the record view of nodes containing spaces in the _id field.
Enhanced Coordinate Map
- Fixed an issue that would cause unnecessary rendering operations while changing the configuration of a visualization.
Scripting
- Fixed an issue that could cause a fatal error when editing a script containing JSX fragments.
Record Table
- Fixed an issue that caused a wrong search request to be generated after creating a negated filter having multiple values by holding CTRL/CMD.
Dashboard
Fixed an issue that caused a wrong confirmation dialog to appear after deleting a dashboard whilst in edit mode.
Fixed an issue that prevented nodes from being added to a Graph Browser visualization when dragging a dashboard with a modified state.
The explanation tooltip for visualizations in 360 Dashboards is now enabled by default following recent performance improvements.
Miscellaneous
Added the investigate_core.search.max_buckets configuration setting. This setting prevents aggregations with a large number of buckets from being processed by visualizations and freezing the browser. The default value of the setting is 1000.
Improved the Elasticsearch periodic health check to wait for the ACL index to be ready in addition to the main Siren Investigate index.
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Red Hat Security Advisory 2022-8524-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.4.0 replaces Data Grid 8.3.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.4.0 in the Release Notes[3]. Issues addressed include cross site scripting and denial of service vulnerabilities.
An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-23647: prismjs: improperly escaped output allows a XSS * CVE-2022-24823: netty: world readable temporary file containing sensitive data * CVE-2022-25857: snakeyaml: Denial of Service due to missing nested depth limitation for collections * CVE-2022-38749: snakeyaml: Uncaught exception...
Red Hat Security Advisory 2022-6835-01 - This release of Red Hat Integration - Service registry 2.3.0.GA serves as a replacement for 2.0.3.GA, and includes the below security fixes. Issues addressed include code execution, cross site scripting, denial of service, deserialization, and privilege escalation vulnerabilities.
An update to the images for Red Hat Integration Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-22569: protobuf-java: potential DoS in the parsing procedure for binary data * CVE-2021-37136: netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data * CVE-2021-37137: net...
Red Hat Security Advisory 2022-6429-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include bypass, code execution, and denial of service vulnerabilities.
The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-28500: nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions * CVE-2021-23337: nodejs-lodash: command injection via template * CVE-2022-0512: nodejs-url-parse: authorization bypass through user-controlled key * CVE-2022-0639: npm-url-parse: Authorization Bypass Through User-Controlled Key * CVE-2022-0686: npm-url-parse: Authorization bypass thr...
Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.