[Bug] Unable to list Cases

[mwalkowski]

Bug

Work Environment

Question	Answer
OS version (server)	CentOS Linux release 8.2.2004 (Core)
OS version (client)	MacOs
TheHive version / git hash	4.0.1
Package Type	Binary
Browser type & version	Chrome 86.0.4240.111

Problem Description

When I try to view the list of Cases, I get an empty list (see error below).

Steps to Reproduce

Complementary information

020-10-27 19:29:37,049 [ERROR] from akka.actor.ActorSystemImpl in application-akka.actor.default-dispatcher-2242 - Response stream for [POST /api/v1/query] failed with 'The property does not exist as the key has no associated value for the provided element: v[87539888]:namespace'. Aborting connection.
java.lang.IllegalStateException: The property does not exist as the key has no associated value for the provided element: v[87539888]:namespace
	at org.apache.tinkerpop.gremlin.structure.Property$Exceptions.propertyDoesNotExist(Property.java:155)
	at org.apache.tinkerpop.gremlin.structure.Element.lambda$value$1(Element.java:94)
	at org.apache.tinkerpop.gremlin.structure.Property.orElseThrow(Property.java:101)
	at org.apache.tinkerpop.gremlin.structure.Element.value(Element.java:94)
	at org.thp.thehive.models.Tag$$anon$1$$anon$2.liftedTree1$1(Tag.scala:11)
	at org.thp.thehive.models.Tag$$anon$1$$anon$2.<init>(Tag.scala:11)
	at org.thp.thehive.models.Tag$$anon$1.toDomain(Tag.scala:11)
	at org.thp.thehive.models.Tag$$anon$1.toDomain(Tag.scala:11)
	at org.thp.scalligraph.services.package$RichElement.as(package.scala:13)
	at org.thp.thehive.services.CaseSteps.$anonfun$richCaseWithCustomRenderer$9(CaseSrv.scala:393)
	at scala.collection.TraversableLike.$anonfun$map$1(TraversableLike.scala:273)
	at scala.collection.Iterator.foreach(Iterator.scala:943)
	at scala.collection.Iterator.foreach$(Iterator.scala:943)
	at scala.collection.AbstractIterator.foreach(Iterator.scala:1431)
	at scala.collection.IterableLike.foreach(IterableLike.scala:74)
	at scala.collection.IterableLike.foreach$(IterableLike.scala:73)
	at scala.collection.AbstractIterable.foreach(Iterable.scala:56)
	at scala.collection.TraversableLike.map(TraversableLike.scala:273)
	at scala.collection.TraversableLike.map$(TraversableLike.scala:266)
	at scala.collection.AbstractTraversable.map(Traversable.scala:108)
	at org.thp.thehive.services.CaseSteps.$anonfun$richCaseWithCustomRenderer$8(CaseSrv.scala:393)
	at org.thp.scalligraph.steps.StepsOps$TraversalOps.$anonfun$map$1(StepsOps.scala:402)
	at gremlin.scala.GremlinScala.$anonfun$map$1(GremlinScala.scala:166)
	at org.apache.tinkerpop.gremlin.process.traversal.step.map.LambdaMapStep.map(LambdaMapStep.java:42)
	at org.apache.tinkerpop.gremlin.process.traversal.step.map.MapStep.processNextStart(MapStep.java:37)
	at org.apache.tinkerpop.gremlin.process.traversal.step.util.AbstractStep.hasNext(AbstractStep.java:143)
	at org.apache.tinkerpop.gremlin.process.traversal.util.DefaultTraversal.hasNext(DefaultTraversal.java:197)
	at scala.collection.convert.Wrappers$JIteratorWrapper.hasNext(Wrappers.scala:43)
	at scala.collection.Iterator$$anon$10.hasNext(Iterator.scala:460)
	at scala.collection.Iterator$$anon$10.hasNext(Iterator.scala:460)
	at akka.stream.impl.fusing.StatefulMapConcat$$anon$49.hasNext(Ops.scala:2176)
	at akka.stream.impl.fusing.StatefulMapConcat$$anon$49.pushPull(Ops.scala:2183)
	at akka.stream.impl.fusing.StatefulMapConcat$$anon$49.onPull(Ops.scala:2199)
	at akka.stream.impl.fusing.GraphInterpreter.processPull(GraphInterpreter.scala:551)
	at akka.stream.impl.fusing.GraphInterpreter.processEvent(GraphInterpreter.scala:499)
	at akka.stream.impl.fusing.GraphInterpreter.execute(GraphInterpreter.scala:390)
	at akka.stream.impl.fusing.GraphInterpreterShell.runBatch(ActorGraphInterpreter.scala:625)
	at akka.stream.impl.fusing.GraphInterpreterShell$AsyncInput.execute(ActorGraphInterpreter.scala:502)
	at akka.stream.impl.fusing.GraphInterpreterShell.processEvent(ActorGraphInterpreter.scala:600)
	at akka.stream.impl.fusing.ActorGraphInterpreter.akka$stream$impl$fusing$ActorGraphInterpreter$$processEvent(ActorGraphInterpreter.scala:769)
	at akka.stream.impl.fusing.ActorGraphInterpreter.akka$stream$impl$fusing$ActorGraphInterpreter$$shortCircuitBatch(ActorGraphInterpreter.scala:759)
	at akka.stream.impl.fusing.ActorGraphInterpreter$$anonfun$receive$1.applyOrElse(ActorGraphInterpreter.scala:785)
	at akka.actor.Actor.aroundReceive(Actor.scala:535)
	at akka.actor.Actor.aroundReceive$(Actor.scala:533)
	at akka.stream.impl.fusing.ActorGraphInterpreter.aroundReceive(ActorGraphInterpreter.scala:691)
	at akka.actor.ActorCell.receiveMessage(ActorCell.scala:575)
	at akka.actor.ActorCell.invoke(ActorCell.scala:545)
	at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:270)
	at akka.dispatch.Mailbox.run(Mailbox.scala:231)
	at akka.dispatch.Mailbox.exec(Mailbox.scala:243)
	at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
	at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
	at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
	at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
2020-10-27 19:29:37,049 [DEBUG] from akka.http.impl.util.StreamUtils$DelayCancellationStage$$anon$11 in application-akka.actor.default-dispatcher-2242 - Delaying cancellation for 1 minute

[To-om]

You have on invalid tag in your data. Can you explain how you created the case and what tags did you fill ?

[mwalkowski]

Thanku you for the response.

I have been creating a Case using api from received alerts and now I found that, I have the same problem with them. Alerts are created from https://github.com/DSecureMe/vmc-docker/blob/master/demo/config/elastalert/rules/new_asset_with_empty_owner.yaml

Is there any possibility to check, for example, directly on Cassanda which tag is it or what it looks like?

[nadouani]

You can list your tags and share the results by calling:

curl -XPOST -H 'Authorization: Bearer API_KEY' 'http://SERVER/api/tag/_search?range=all' -d '{
    "query": {}
}'

[mwalkowski]

Sure, there are many of them so I put them in the file: tags.json

[nadouani]

There are a lot of tags that look weird out there:

{
        "namespace": "_autocreate",
        "predicate": "[]",
        "colour": 0
    },
    {
        "namespace": "_autocreate",
        "predicate": "~",
        "colour": 0
    },
{
        "namespace": "_autocreate",
        "predicate": "<>?/'",
        "value": ";[]{}",
        "colour": 0
    },
    {
        "namespace": "_autocreate",
        "predicate": "{}",
        "colour": 0
    },
    {
        "namespace": "_autocreate",
        "predicate": "`",
        "colour": 0
    },

BTW, I don't think tags are the right place to put IPs etc...

[rafalszymanek]

I work along with @mwalkowski
As for the fragment presented by @nadouani, I added this tags manualy (as alerts created via api) as part of the test if the characters are displayed correctly and it not break the TheHive. This tags were presented correctly as below:

I don't think it's problem because of tags (maybe I'm wrong). As a proof:
I can download all tags via API, but I cannot download a certain part of alerts.
Propably we cannot display cases because one of the cases contain one of alerts that don't work corectly.

I tried to track this part of alerts but I cannot see it through database (cassandra) and display at thehive and also cannot download it via api.

PS. "ęąćżźłó" it just all polish characters.

[mwalkowski]

@To-om Do you have any ideas on how to investigate problem ?

[rafalszymanek]

Ok, with @mwalkowski we found what cause problem.
PoC:

1. Create new case from alerts. It may be one alert or more
2. Case is created correctly, and hive works fine
3. Back to alerts and create new case from this same alert or alerts as previous case (marked as imported)
4. After this action all TheHive is not working correctly.

• We have an Error: “AuditSrv: undefined”
• We can’t display list of alerts if these imported alerts are on current page (check to not filter alerts at all)

• We have access to case (first and second), but can’t display alerts related to this case

So, in summary
When we import one of alerts to two different cases, TheHive don’t know how to display this type of alerts. Also, get these alerts from API didn’t work.

So it cause denial of service of TheHive
We estimate this as security vulnerability with CVSS v.3.1 and got the result:
High, 8.5
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): None
Integrity (I): Low
Availability (A): High

[nadouani]

@rafalszymanek @mwalkowski thanks guys, we are checking it in 4.0.1 freshly released today, even if I guess you are testing that on the same version built from sources.

[nadouani]

I don't know if the issue commented by @rafalszymanek is the same as the origin of this issue.

@rafalszymanek the reason is that an alert should not be imported twice. This is fixed in #1648

[rafalszymanek]

@nadouani Yes it was this same issue.
Ok, I tested it on 4.0.1-1 and it’s looked like it works fine. I was unable to bring up this error again 👍 Bug looks fixed and issue should be closed. Can we create a CVE for this bug?

But I found another issue with this repair (I will create new issue).
It’s related with importing alerts to case (now it not importing alerts to case at all).
[Bug] Not importing alert into case #1665

[nadouani]

Well, after some investigation, there is no Denial of Service on 4.0.1 related to the issue you described in your comment #1598 (comment)

BTW, your screenshots show 4.0.0-1 and not 4.0.1.

I've just tested with a fresh install of TheHive 4.0.1, there is in fact the alert merge case, but it doesn't break anything more than what is described in the issue #1648