CVE-2021-27945 - Cross-Site Scripting#

09 Mar 2021

The Squirro Insights Engine was affected by a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions 2.0.0 up to and including 3.2.4. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content. The attacker-supplied code can perform a wide variety of actions, such as stealing victims’ session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

The issue was discovered during a routine vulnerability scan by one of our clients. We are not aware of any active exploits of this vulnerability.

Issue identifier: CVE-2021-27945

Products and Versions: Squirro Insights Engine 2.0.0 up to and including 3.2.4

CVSS 3.1 Base Score: 5.4 Medium

Solution#

If your Squirro deployment is hosted by Squirro, the vulnerability has already been patched and no further action is required.

For other installations please follow the upgrade instructions at Upgrading Squirro.

For an update to older Long-term support (LTS) releases, contact Squirro Support.

Squirro also provides a low-risk hot fix that can be rolled out with documentation changes instead of upgrading the server. See below for this hot fix, which is compatible with all Squirro versions.

Configuration Change to Fix#

For systems affected by CVE-2021-27945 - Cross-Site Scripting where a software upgrade is deemed risky, a configuration change can instead be deployed to prevent the vulnerability from being exploited.

Squirro recommends that you involve a Squirro solution engineer help with this change. To do so, please contact Squirro Support.

Configuration#

The configuration change relies on the fact that all Squirro services are only exposed to the outside world using the nginx web server.

Additionally, the affected endpoint of Squirro is not used anywhere. As a result, you can simply block the path which had the Cross-Site Scripting issue from being accessed through a nginx configuration change.

Use the following steps to do so:

  1. Edit the file /etc/nginx/conf.d/frontend.conf.

  2. Add the following line at the very bottom of the file:

    location /help { return 404; }

  3. Save the file and exit the editor.

  4. Verify that the configuration is still valid by running this command:

    nginx -t

  5. If that command is successful, reload nginx

    1. On RHEL / CentOS 8 and 7 you can use: systemctl reload nginx

    2. On RHEL / CentOS 6 you can use: service nginx reload

  6. Verify that the configuration change has taken effect by accessing the URL https://your-squirro-server/help/test

Support#

For further questions, contact Squirro Support.

For security-related communications, contact security@squirro.com.