4.0.4 Release notes - 14 January 2021

This section lists the changes in version 4.0.4. More details about these changes are provided in the changelog of each component:

ThreatLockDown core

Added

API

  • Missing secure headers for API responses to fulfill the OWASP recommendations.

  • New option to disable uploading configurations containing remote commands.

  • New option to choose the SSL ciphers. Default value TLSv1.2.

Changed

API

  • Restore and update API configuration endpoints have been deprecated.

  • JWT token expiration time set to 15 minutes.

Fixed

API

  • Fixed a path traversal flaw (CVE-2021-26814) affecting 4.0.0 to 4.0.3 at /manager/files and /cluster/{node_id}/files endpoints. This vulnerability allowed authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service could exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service script. Thanks to Davide Meacci for reporting this vulnerability.

Framework

  • Bug with client.keys file handling when adding agents without authd.

Core

  • The purge of the Redhat vulnerabilities database before updating it.

ThreatLockDown Kibana plugin

Added

  • Support for ThreatLockDown v4.0.4.