For systems affected by CVE-2021-27945 - Cross-Site Scripting where a software upgrade is deemed risky, a configuration change can instead be deployed to prevent the vulnerability from being exploited.
It is recommended that you have a Squirro solution engineer help with this change. They likely have reached out to you already, otherwise please contact us at support@squirro.com to help.
Configuration
The configuration change relies on the fact that all Squirro services are only exposed to the outside world using the nginx web server. Additionally the affected endpoint of Squirro is not used anywhere. As a result we can simply block the path which had the Cross-Site Scripting issue from being accessed through a nginx configuration change.
Use the following steps to do so:
Edit the file
/etc/nginx/conf.d/frontend.conf.Add the following line at the very bottom of the file:
location /help { return 404; }Save the file and exit the editor.
Verify that the configuration is still valid by running this command:
nginx -t
If that command is successful, reload nginx
On RHEL / CentOS 8 and 7 you can use:
systemctl reload nginxOn RHEL / CentOS 6 you can use:
service nginx reload
Verify that the configuration change has taken effect by accessing the URL https://your-squirro-server/help/test