Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #22937 to 7.x: [Winlogbeat] protect against accessing undefined variable in security module #22971

Merged
merged 2 commits into from
Dec 9, 2020
Merged

Cherry-pick #22937 to 7.x: [Winlogbeat] protect against accessing undefined variable in security module #22971

merged 2 commits into from
Dec 9, 2020

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Dec 7, 2020
edited by zube bot
Loading

Cherry-pick of PR #22937 to 7.x branch. Original message:

What does this PR do?

This pull request protects against trying to use string functions against a variable which is undefined. This has already been done for two other variables, but not this one:

logonSuccess

https://github.com/elastic/beats/blob/8369eff1c4d75fd164a8b171f1f2481c1a13932b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js#L1689-L1704

event4648

https://github.com/elastic/beats/blob/8369eff1c4d75fd164a8b171f1f2481c1a13932b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js#L1707-L1721

Why is it important?

In some environments, as much as 99% of some events are showing this error (particularly with event id 4625)

TypeError: Cannot read property 'split' of undefined at c:\Program Files\winlogbeat-7.10.0/module/security/config/winlogbeat-security.js:1522:24(16)

Checklist

  • My code follows the style guidelines of this project
    [ ] I have commented my code, particularly in hard-to-understand areas
    [ ] I have made corresponding changes to the documentation
    [ ] I have made corresponding change to the default configuration files
    [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

go test

Related issues

Similar work was recently done for the Sysmon module: #22236 #22219

Use cases

Screenshots

Logs

@andrewkroh
[Winlogbeat] protect against accessing undefined variable in security…
c4668a5 
… module (elastic#22937)

Adding protection for undefined variable in copy target user

(cherry picked from commit 7c64f53)
@andrewkroh andrewkroh requested a review from a team as a code owner December 7, 2020 23:44
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Dec 7, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 7, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #22971 updated

  • Start Time: 2020-12-07T23:47:35.550+0000

  • Duration: 21 min 28 sec

Test stats 🧪

Test Results
Failed 0
Passed 92
Skipped 0
Total 92

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 92
Skipped 0
Total 92

@andrewkroh andrewkroh merged commit b6c5f86 into elastic:7.x Dec 9, 2020
@zube zube bot removed the [zube]: Done label Mar 9, 2021
@andrewkroh andrewkroh deleted the backport_22937_7.x branch January 14, 2022 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @elasticmachine @leehinman