Security Bulletin

Security vulnerability in NodeJS library used by Sisense 7.2.1 and 7.2.1 Service Pack 1

We have recently discovered a low severity security vulnerability in the NodeJS libraries used in version 7.2.1. The issue is resolved in 7.2.1 service pack 3 (7.2.1.13003), released Dec. 6th, 2018. This issue is not relevant for any other versions.

We have found that a third party package used by Sisense, NodeJS, included malicious code that could be used to steal Bitcoin from Bitpay and Copay wallets. The malicious code targeted developers at the Copay company that had a very specific development environment setup: running the payload in any other environment has no effect. This specific type of targeting means that, ultimately, most applications are not affected even if the malicious module is mistakenly deployed. Specifically to Sisense, this vulnerability could not be used to access any Sisense data, and was not used by Sisense code, but antivirus programs are identifying it as malware.

For more information about this vulnerability, see here.

Remediation:

If you are using one of the builds mentioned above and are concerned about the AntiVirus alerts we recommend you upgrade to the latest 7.2.1 version, available for download here.

 

Update regarding a security vulnerability resolved in Sisense V6.7.1 on May 23, 2018

Starting from Sisense V6.7, there was an issue with data security rules. This rare issue occurred only when a single dashboard contained at least two widgets from entirely disconnected tables - meaning that there was no relationship path leading from one table to the other.

If a filter was applied on one of the tables, data security rules of the second table were disabled. The widget showing data from the second table would display all data, without data security rule restrictions.

Note that the issue did not occur when a dashboard only used widgets related to a single data security field. The issue also did not occur if there was any relationship path between the tables of the data security fields. The relationship path did not have to be a direct relationship between the tables, it could be a relationship that went through other tables.

The issue is resolved in Sisense V6.7.1 (build 6.7.1.17004), and in Sisense V7.1.2.

 

Update regarding Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715)

The Meltdown/Spectre vulnerabilities are the recent vulnerabilities found in Intel’s processors. These are vulnerabilities in all of the Windows operating systems. Sisense provides an application and does not provide the server hardware or the Windows OS. These are provided by customers. As such, it’s the customers’ responsibility to secure their OS.

We recommend customers follow all security recommendations of the vendors who provided the customers OS. The current Windows recommendation is to install the latest available security updates for the OS. Sisense has run extensive performance tests on the OS patch (Windows patch) and found a minimal impact on performance.

For more information about these vulnerabilities and how to negate them, see:

Meltdown and Spectre: A high-level description of the vulnerabilities.

Project Zero: Describes the theory behind the vulnerabilities by those who discovered them.

Intel Official Announcement: Describes Intel’s response to the vulnerabilities.

AMD Processor Security: Describes AMD’s response to the vulnerabilities.