Jeffrey Everling has identified a nasty privilege escalation vulnerability in all versions of TheHive, including Mellifera 13.2 (TheHive 2.13.2) and Cerana 0.2 (TheHive 3.0.2). Jeffrey reported it to us today Friday, Dec 22, 2017. Thanks but we could think of a better Christmas gift 😉
The vulnerability allows users with read-only or read/write access to escalate their privileges and eventually become administrators. To exploit it, an attacker must have access to an account on TheHive with read-only or read/write privileges.
The attacker needs to interact with the API in a specific though trivial way to obtain administrator privileges. After verifying that their request has been correctly processed, they connect to TheHive using the Web UI and they will see the administrator menu from where they can edit or lock user accounts, add case templates, etc.
We highly recommend you update TheHive to Cerana 0.3 (TheHive 3.0.3) which fixes the vulnerability. If you are still using Mellifera and have not made the move to Cerana yet, please update to Mellifera 13.3 (TheHive 2.13.3) which also corrects this flaw.
If you cannot immediately apply the hotfixes we have released, we have created a shell script that will allow you to spot anyone who exploited the vulnerability. You can download the script from the following location:
The SHA256 hash of the script is:
When you run the script, it will display all users that have changed their roles. If a single match is found, it means your instance has been potentially compromised. We advise you to create a crontab which will execute the script on a regular basis until you apply the hotfixes.
To Upgrade to Cerana 0.3 (TheHive 3.0.3)
Start by following the migration guide.
If you are performing a fresh installation, read the installation guide corresponding to your needs and enjoy. Please note that you can install TheHive using an RPM or DEB package, use Docker, install it from a binary or build it from sources.
To Upgrade to Mellifera 13.3 (TheHive 2.13.3)
dpkg -i TheHive_2.13.3-1_all.deb
The SHA256 hash of the DEB package is:
rpm -Uvh thehive-2.13.3-1.noarch.rpm
The SHA256 hash of the RPM package is:
docker run certbdf/thehive:2.13.3-1
The SHA256 hash of the binary package is:
Unzip the file in the folder of your choosing.
Something does not work as expected? You have troubles installing or upgrading? No worries, please join our user forum, contact us on Gitter, or send us an email at firstname.lastname@example.org. We are here to help.