• Support
  • Forums
  • Blogs

AlienVault v5.3.7 Patch Release

SkylarTalleySkylarTalley

AlienVault Employee
+9
As of Wednesday, March 22 2017, AlienVault USM and OSSIM v5.3.7 are now generally available for all existing and new customers. Users can update their system(s) through the console or web UI (see upgrade instructions for more information). For customers using the Managed Appliance Service, please not that AlienVault Support will be contacting you to schedule your update.

Please take a few minutes to carefully read these release notes before upgrading.

Documentation Updates


Deprecation Notice

Log watch
The log watch functionality in the Smart Event Collector has been deprecated in AlienVault USM and OSSIM. Deprecation means that we will no longer be doing development on that feature. This functionality may also be removed from the product at a later release date.

Compliance mapping
The compliance mapping functionality has been deprecated in AlienVault USM. Deprecation means that we will no longer be doing development on that feature. This functionality may also be removed from the product at a later release date.

This will not remove the ability to report on compliance regulations (PCI DSS 3.2 and ISO 27001:2012). AlienVault will continue to deliver new and updated compliance reports. For questions or additional information regarding this deprecation notice, contact AlienVault Support.


Change Log

  • ENG-104602 Duplicated events after rebooting an AIO or Sensor
  • ENG-104429 Uninstall winexesvc after HIDS agent deployment (being flagged as trojan in antivirus)

Security Advisories

  • ENG-105223, Vulnerable Debian Package - linux (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105195, Vulnerable Debian Package - libxpm (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105147, Vulnerable Debian Package - linux (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105146, Vulnerable Debian Package - apache2 (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105145, Vulnerable Debian Package - bind9 (CVE-2017-3135) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105086, Vulnerable Debian Package - libevent (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105078, Vulnerable Debian Package - mongodb (CVE-2016-6494) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105077, Vulnerable Debian Package - openvpn (CVE-2016-6329) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105070, Vulnerable Debian Package - vim (CVE-2017-5953) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105051, Vulnerable Debian Package - libjasper1 (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-105037, Vulnerable Debian Package - php5 (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104988, Vulnerable Debian Package - libgd2 (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104959, Vulnerable Debian Package - tcpdump (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104958, Vulnerable Debian Package - openssl (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104932, Vulnerable Debian Package - mysql-5.5 (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104945, VUpdate nfsen to fix drop privileges vulnerability (multiple CVE's) - AlienVault 5.3.7 is not vulnerable.
  • ENG-104945, Vulnerability NfSen IPC query command injection (CVE-2017-6971) - AlienVault 5.3.7 is not vulnerable.

See the Security Advisory for USM and OSSIM v5.3.7 for more information.


Additional Upgrade Info for All Users on v5.1.1 and Earlier



hbaxamoosafcollinsCaptainCarrotCactur

Share post:

Comments

  • can someone please clarify what the change logs below actually mean

    • ENG-104602 Duplicated events after rebooting an AIO or Sensor
    • ENG-104429 Uninstall winexesvc after HIDS agent deployment (being flagged as trojan in antivirus)
    tracy.danger
  • @rdieth

    • ENG-104429 Uninstall winexesvc after HIDS agent deployment (being flagged as trojan in antivirus)
    AlienVault is linux-based and to push HIDS/OSSEC agents to Windows-based machines it uses a service called winexesvc and leaves the .exe file installed after the HIDS/OSSEC agent is deployed. The issue is that this service is sometimes used by trojans to allow intruders to push remote commands. Because of this, some anti-virus software flags this service as malware and this could cause a cascade of false-positives.

    Ask me how I found out ;)
    tracy.danger
  • im pretty sure you found out the same way we found out lol, ours was that we couldnt even install HIDS agents because of winexesvc being blocked by antivirus, we had to write an exception rule so i guess that spared us from the cascade of false-positives. 

    The part im confused about is that i thought winexesvc was required for the HIDS agents to run.


    tracy.danger
  • @rdieth / @eugene86 - out of curiosity, what firewalls are you using? 

    ENG-104602 Duplicated events after rebooting an AIO or Sensor
    Issue description: After rebooting an appliance there are duplicated events. The agent uses bookmarks to store the current positions and stats of the logs files that are being monitored by plugins. Bookmarks are updated when the agent process stops. And when the appliance is rebooted, the agent starts and will read/process events from the last position stored.

    ENG-104429 Uninstall winexesvc after HIDS agent deployment (being flagged as trojan in antivirus)
    This one is exactly what you guys mentioned above. The resolution here is that we added an uninstall script to remove winexesvc. However, as you guys mentioned, you still have problems deploying agents with the firewall - we are working on a follow-up to remove our use of winexesvc completely... That will be available in an upcoming release.
  • @LBarraco

    We're using Trend Micro. It started flagging the winexesvc.exe after we performed a major revision update.
    LBarraco
  • @rdieth,

    I'm pretty sure that winexesvc is only used during the initial install phase for the HIDS agents. Once the install is done and the HIDS agent connect to the AV sensor, winexesvc is not used any more.
    LBarracotracy.danger
  • for us its not the firewall thats the issue but the antivirus thats used by our clients. we have seen it blocked by solarwind, trend Micro and symentec so far
    LBarraco
  • My USM upgrade (thru web interface) reported a failed installation and the system rebooted.  It now reports that is was successfully upgraded to v5.3.7 in Deployment->AlienVault Center.  A quick overview and all "appears" to be okay... is there anything I should specifically check to confirm the upgrade was successful?
  • @eugene86 / @rdieth - makes sense. thanks for the additional information! We're working on a fix for this right now.. And yes, it is only used for the initial deployment and not used thereafter. 
    fcollins
  • Malwarebytes Anti-Exploit blocks it as well. 
    LBarraco
  • Does it require a reboot?

    Thanks.
  • Guys, you have RSS for release notes? 
    https://www.alienvault.com/forums/categories/usm-appliance-releasenotes/feed.rss
    Doesn't seem to have the latest info...
    ol.batard
  • edited March 2017
    @CaptainCarrot Good catch. We'll investigate to see what is going on with the RSS feed.
Sign In or Register to comment.