28.04.2020 15:27

IntelMQ Manager release 2.1.1 fixes critical security issue

The IntelMQ Manager version 2.1.1 released yesterday fixes a Remote Code Execution flaw (CWE-78: 'OS Command Injection'). The documentation for version 2.1.1 and installation instructions can be found on our GitHub repository.

Always run IntelMQ Manager instances in private networks with proper authentication & TLS. Further, restrict access to the tool to web-browsers which can only access internal web-sites, as workaround for existing CSRF issues. See also our security considerations with more details.

The issue was discovered by Bernhard Herzog (Intevation) during work sponsored by SUNET to fix the missing CSRF protection and migrate the application backend to Python.

Update 2020-04-30: This vulnerability has been assigned CVE-2020-11016.

This blog post is part of a series of blog posts related to our CEF Telecom 2018-AT-IA-0111 project, which also supports our participation in the CSIRTs Network.

Co-financed by the European Union; Connecting Europe Facility

Written by: Sebastian Wagner