Comments (3)
Note: I have quickly tested a setup with nginx:1.25.5-alpine-slim and did not run into any issues with booting up the system and some basic activity. Needs some additional testing, but can probably moved to this version with the next release.
from timesketch.
Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?
Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.
from timesketch.
Fair point. Are you aware of any specific vulnerability that can be exploited in the current Timesketch default set-up?
No not that I am aware of. Took a look at the NGINX website and according to them the following items could be problems: They honestly don't sound like large enough problems to force an emergency update.
Memory corruption in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41741](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41741)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt) [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)
Memory disclosure in the ngx_http_mp4_module
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2022/RBRRON6PYBJJM2XIAPQBFBVLR4Q6IHRA.html)
[CVE-2022-41742](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41742)
Not vulnerable: 1.23.2+, 1.22.1+
Vulnerable: 1.1.3-1.23.1, 1.0.7-1.0.15
[The patch](https://nginx.org/download/patch.2022.mp4.txt) [pgp](https://nginx.org/download/patch.2022.mp4.txt.asc)
1-byte memory overwrite in resolver
Severity: medium
[Advisory](http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html)
[CVE-2021-23017](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23017)
Not vulnerable: 1.21.0+, 1.20.1+
Vulnerable: 0.6.18-1.20.0
[The patch](https://nginx.org/download/patch.2021.resolver.txt) [pgp](https://nginx.org/download/patch.2021.resolver.txt.asc)
From a first glance at Dockerhub (this is not financial legal security advice, bla bla bla), it appears most warnings stem from Layer 6 of the Dockerfile. Some of the underlying commands used may be vulnerable, but I doubt that should lead to any problems for us.
What is more interesting to look at is the underlying Alpine base image. OpenSSL has 4 CVEs, of which only one sounded somewhat relevant to me. Apparently an infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters
, so it might be possible to DoS Nginx in certain circumstances, assuming it is using the OS OpenSSL library.
https://scout.docker.com/vulnerabilities/id/CVE-2022-0778?s=alpine&n=openssl&t=alpine&osn=alpine&osv=3.13&vr=%3C1.1.1n-r0&utm_source=hub&utm_medium=ExternalLink
I would not call this mission critical, nor do I have a PoC, but it might be worth taking a look at.
Have you tried a setup with the latest nginx container version? Would be interested if you experienced any breakage.
Our Timesketch setup (and by extension Nginx Config) is modified quite a bit. Not sure if we are representative of everyone, but I will try deploying an updated NGINX and report back how things are going. Might take some time, since I'm fixing some other stuff first.
from timesketch.
Related Issues (20)
- Feature Extraction analyzer cannot create views
- Timesketch auto-renames timeline uploads with the same timeline name HOT 7
- Timesketch has no use cases
- sigma_rule_status.csv removed but still present in installation helper script
- for every search getting "sorry, there was a problem" HOT 2
- DFIQ UI Bug HOT 7
- Natural language to query with LLM HOT 2
- Slow page loads for sketches with high datasource count
- GCP IAP authentication seems to be broken for the desktop client HOT 1
- Deployment Script Assumes Healthcheck for Timesketch Web exists
- tsctl info error HOT 1
- Add `add_intelligence()` function to analyzer interface
- Settings: Experimental UI flag
- Timelines import successfully but no entries are showing up HOT 5
- Timesketch missing entries if Disabled key is present and the value is a string
- tsctl archive sketches
- API returns 404
- Run selected/analyzers from "timesketch importer" HOT 3
- Address inconsistent property usage in API client search class
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from timesketch.