UPDATE - v4.2.3 Now Available. Remediates all known issues related to advisory.
Wednesday, a disclosure was made related to security issues found in AlienVault OSSIM. This includes the publicly disclosed SQL Injection vulnerabilities as well as a privately disclosed Command Injection vulnerability. At AlienVault we take the security of our code very seriously. Our development lifecycle includes use of static code analysis as well as periodic use of dynamic analysis. We use situations like this to review our processes, the way we use our tools, and find ways to improve our secure development process.
We encourage everyone to update the latest version 4.2.3 which remediates these issues. For users still using 4.1 there are a few important mitigating factors for these vulnerabilities:
All reported vulnerabilities require authenticated access
OSSIM leverages PHPIDS which provides some protection against common SQL Injection and Command Injection attack patterns
While these considerations do reduce the impact of the vulnerabilities being exploited, they are mitigating factors which make exploit substantially harder.
We take security problems seriously, and any disclosure will be responded to as soon as possible. We are trying to figure out why these reports were not addressed before public disclosure, but we encourage anyone who has discovered security issues with any AlienVault or OSSIM product to let us know at [email protected]. Please do not use our ‘contact’ forms on our corporate site.