=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN549
_____________________________________________________________________

DATE                      : 22/12/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running OSSIM versions prior to 2.1.5-4.

======================================================================
http://www.alienvault.com/community.php?section=News
______________________________________________________________________

2009/12/16 - Security vulnerabilities found, upgrade your AV Open Source
SIM today.

release

Nahuel Grisolia at Cybsec Security Systems has discovered a series of
security vulnerabilities affecting OSSIM up to the 2.1.5-3 release. Check
out the Advisores for more details. Basically three types of bugs have been
spotted:

    * SQL Injections (previous login to the platform required)
    * Arbitrary file upload
    * Remote code execution

If you've upgraded to 2.1.5-4 you've got the updates already, if not please
update asap.

We'd like to thank Cybsec for the manner this join disclosure has been
approached; it's always nice to be contacted before public disclosure.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================