1.27.0

See full release notes on verinice.com.

Code name: Siargao

Detail changes

Neue Funktionen

Business Continuity Management

Das Business Continuity Management nach BSI-Standard 200-4 wurde auf den aktuellen Stand angepasst und um weitreichende Funktionalitäten erweitert:

Der neue View Business-Impact-Analyse stellt Abhängigkeiten zwischen Prozessen und Zielobjekten zur besseren Gesamtbeurteilung graphisch dar.

Die neuen Reports für das Business Continuity stehen inklusive einer Beispielorganisation im separat downloadbaren Produkt Business Continuity Management BCMS (200-4) zur Verfügung.

Reportvorlage Management Summary IT-Grundschutz

Der neue Übersichtsreport Management Summary IT-Grundschutz präsentiert die wichtigsten Daten zum IT-Grundschutz (je nach gewählter Vorgehensweise der Absicherung z.B. Strukturanalyse, Schutzbedarfsfeststellung, IT-Grundschutz-Check und Risikoanalyse) in kompakter graphischer Form dar.

Neue Pakete für RHEL 8 und AlmaLinux 8

Für verinice 1.27 werden sowohl für Red Hat Enterprise Linux (RHEL) 7 und CentOS 7, als auch für RHEL 8 und AlmaLinux 8 RPM-Pakete bereitgestellt.

Aufgrund des Endes des Supports für CentOS und RHEL 7 am 30. Juni 2024 werden die RPM Pakete für diese Versionen zum letzten Mal mit verinice 1.27 bereitgestellt! Es wird allen Anwenderinnen und Anwendern empfohlen, zeitnah auf AlmaLinux 8 bzw. RHEL 8 zu migrieren.

Fehlerbehebung und Detailverbesserungen

Performanceverbesserungen
Die Erzeugung von Verknüpfungen wurde signifikant beschleunigt.

CSV- und VNA-Import wurden beschleunigt.

Client unter macOS
Die verinice Einzelplatzversion (verinice.Subskription und verinice.EVAL) steht als macOS-Installationspaket (.pkg) zur Verfügung.

Der Splash-Screen unter macOS wird korrekt angezeigt.

Detailverbesserungen

Benutzerdefinierte Perspektiven können gelöscht werden.

Das Beschreibungsfeld zur Umsetzung von Anforderungen/Maßnahmen im IT-Grundschutz wurde vergrößert.

Produktpflege

Update der Entwicklungsumgebung RCP auf Version 2023-09 (4.29).

Java 17 als Laufzeitumgebung für den Client.

Fehlerbehebungen

Behebung eines Fehlers beim Ändern der Icons von Objekten.

Behebung eines Fehlers bei der Risikoberechnung im Masseneditor.

Behebung eines Fehlers beim Wiederherstellen der Standardwerte in den Editoreinstellungen.

Korrektur der alphanumerische Sortierung im Report A.1 Strukturanalyse-Abhängigkeiten.

Sicherheitshinweise

Neue Aktionen
keine

Geänderte Property Dateien

veriniceserver/WEB-INF/SNCA.xml

veriniceserver/WEB-INF/snca-messages_??.properties

veriniceserver/WEB-INF/verinice-auth-default.xml

Datenbankänderungen

keine

Neue AlmaLinux-Appliance

Die verinice.PRO-Appliance basiert seit verinice 1.27 bereits auf AlmaLinux. Bitte beachten Sie insbesondere, dass vor der Installation des verinice.PRO-Servers ein weiterer öffentlicher Paketschlüssel importiert werden muss! Für Details werfen Sie bitte einen Blick in das verinice-Handbuch: verinice.PRO - Installation unter AlmaLinux 8 und RHEL 8 Kapitel 4.3.1. verinice Repository.

1.26.1 - Mal del Plata

See full release notes on verinice.com.

Code name: Mal del Plata

Detail changes

• Corrected the signing of verinice packages to SHA-256, as Bit-Defender warnings were occasionally reported during installation on Windows.
• The handling of Unicode encoding has been improved to prevent a theoretically possible path traversal, see CWE-176: Improper Handling of Unicode Encoding for details. However, exploitation is not evaluated as real in the verinice usage scenario.

1.26.0 - Mal del Plata

See full release notes on verinice.com.

Code name: Mal del Plata

Risk Catalog ISO/IEC 27001:2022

With verinice 1.26 it is planned to publish the verinice risk catalog based on the new ISO/IEC 27001:2022.

The object Control will be extended by the new Attributes for this purpose:

• Measure type is an attribute for the view of measures from the point of view of when and how a measure changes the risk in relation to the occurrence of an information security incident.
• Information Security Properties is an attribute for viewing measures from the standpoint of what protection goal the measure is intended to support. Cybersecurity Concepts looks at measures from the perspective of how measures map to the cybersecurity framework described in ISO/IEC TS 27110. Cybersecurity Framework.
• Operational Capabilities considers measures from the perspective of their operational information security capabilities and supports a practical user view of the measures.
• Security Domains are an attribute that allows measures to be viewed from the perspective of four information security domains.

Risk reports can be more easily customized by changing the risk parameters in the report templates to meet customer-specific requirements.

Detail changes

IT Baseline Protection

• The icon decorator for risk analysis in the modernized IT Baseline Protection are displayed independently of the authorization (action ID).
• Risk configuration is displayed.
• The incorrect CSV import of business processes in modernized IT Baseline Protection has been fixed.
• Filtering takes into account objects that have multiple change types.

Business Continuity Management

• English translation was completed and some spelling errors were fixed.

Report templates

• In report A.1 Structural Analysis with Dependencies all linked objects are now displayed.
• In the report A.5 Risk Analysis all information about the information network is listed correctly.
• In the ISM report templates Risk Analysis and Risk Treatment, missing translations have been added.

v.Designer

• Fixed a bug that overwrote column names in report queries (encoding of the CSV-export can be specified in the settings).

General (Product Maintenance)

• Update of the RCP development framework to version 2022-09 (4.25).
• Update of the Java Development Kit in the client to JDK on 11.0.18+10.
• Group objects are correctly included in the search index.
• Translation of some properties in SNCA.xml added.

1.25.0 - Sultans

See full release notes on verinice.com.

Code name: Sultans

Business Continuity Management

The documentation for the Business Continuity Management (BCM) can be made. Both the German BSI standard 200-4 1.CD and ISO 22301:2019 have been implemented. Core processes can be identified, criticality data can be recorded, failure scenarios can be defined, and relevant systems can be specified for restart. The new features can be found in the familiar IT baseline protection and ISM perspective, so it is possible to benefit from data that has already been collected and to use the synergies between ISMS and BCMS. Numerous enhancements have been made to the following target objects:

• Information Network / Scope
• Documents
• Person
• Business Process / Processes
• Target objects (Application, IT system, ICS system, Device, Network, Room Group) / Assets
• Modules / Controls
• Safeguards / Requirements

Reporting enhancements

• Output of multiple reports at once: Multiple reports can be selected at once. These are generated and output one after the other in the desired storage directory.
• Classification of reports: When creating reports, the classification of the reports can be set. This classification is displayed in the report header on each page. By default, four levels are predefined, but these can be adjusted and extended according to the requirements (under the settings).

Detail changes

• The startup message has been updated.
• On the Welcome screen, the entry point for BSI IT-Grundschutz after 100-x has been removed. However, the perspective is still available and can still be used.
• The Audit Report has been revised so that all information from the audit is now output.
• Links between business processes and rooms are possible.
• In the Link-Maker it is now possible to search and sort not only by title but also by identifier, parent target object and scope.
• The Imported Objects are no longer sorted by alphabet, but are always listed first.
• Adjustments and enhancements to the Tutorials.
• Improvements to the External Links View.

Bug fixes

• In report A.1 Structure analysis dependencies all linked elements are now output.
• In report A.3 Modeling, the correct number of blocks of communication connections is output in the table "Overview: List of blocks used".
• In report A.4 Basic protection check, the implementation date (implementation by) is now also output if not derived from measure.
• In the report Report form BSIG8b IS (ISO and basic protection) small inconsistencies have been corrected.
• In the report Statement of applicability the elements are sorted by abbreviation.
• The link direction can be changed again afterwards.
• Fixing an error when copying with links for many elements.
• Sorting in the consolidator is now possible.
• In the ISM perspective, elements are sorted by abbreviation.
• Performance improvements in inheritance from protection requirement and module referencing.
• A total of four security improvements have been made.
• Fix for a bug in v.Designer.
• The inheritance of icons now works properly.
• Deletion using keyboard shortcuts is prevented for read-only catalog items.
• Removing HTML tags when sending mail from tasks.
• The VDS_ISA_Audit tag has been removed for the Audit handling element.
• A Local Admin now only sees the account groups he created in the account settings.
• Adjustment of Access rights for VNA and CSV import.
• Modeling of blocks on a read-only information compound is prevented from now on.
• Adjustments to Consolidator so that read-only information federations and elements can no longer be modified.

1.24.1

See full release notes on verinice.com.

Bug fixes

After an update to verinice 1.24.0, multiple IDs were displayed behind the names of objects in the client. This function, intended for debugging, cannot be deactivated in 1.24.0 and caused confusion, but no errors in the application. verinice 1.24.0 could be used as usual. verinice-1.24.1 solves this problem. IDs are no longer displayed next to the names of the objects.

1.24.0 - Jeju Island

See full release notes on verinice.com.

Code name: Jeju Island

New function: Module referencing

With the module referencing, it is possible to use already modeled modules for several target objects at the same time. This reduces both the effort required for editing and maintaining the modules and the number of modules contained in the information network. The target objects for which a module referencing exists are highlighted.

Detail changes

• In report A.6 Realization plan, the conversion date (conversion by) is now also shown if no person is linked with the link type "conversion by".
• The new Office formats (DOCX and XLSX) are supported for report creation.
• The v.Designer can be started with JAVA 11 and is thus delivered again in version 1.24.
• Improvement of the "Derive from task" option when modeling requirements.
• Tasks can be created automatically via cron job. This function is deactivated by default.
• Encryption method "Encrypt with certificate" is no longer possible during export and import.

Bug fixes

• Performance improvements when inheriting permissions, copying with shortcuts and in the account group view.
• Fixed a bug in the GSTOOL import.
• Fixed a bug in copying with shortcuts in Security Assessment.
• Fixed an error when starting an audit workflow from the context menu of an ISO Control group.
• Updated to RCP framework 2021-12 (4.22) to support newer operating systems.
• Corrected changes to the program window after selecting links in the report query.
• Catalog elements are now excluded from validation.
• Language inconsistencies have been fixed in several places.
• Removal of the old tutorial for data protection.
• Deleting tasks in workflow is now possible again.
• Correction in workflow when selecting appointments in an old template.
• Deletion of links in the catalog is prevented.
• Fixed the creation of aggregated charts in v.Designer.
• Fixed an error when adding accounts to account groups.
• Fixed a bug in the post-modeling of threats.
• Concretization of the unavailable Greenbone/OpenVAS connection for Modernized IT Baseline Protection in several places.

1.23.1

See full release notes on verinice.com.

Bug fixes

This update for verinice fixes an error when copying objects. In the single user version of verinice 1.22.2 and 1.23 the function "Copy with links" could not be executed. Calling up the function is possible again in version 1.23.1. verinice.PRO was not affected by the error. In the operating mode "Server", the function "Copy with links" can also be executed without errors in older versions. Therefore, no new verinice.PRO packages for 1.23.1 are published in the customer repository. On the server the packages for 1.23.0 can still be used.
Details about verinice 1.23

1.23.0 - Great Barrier Island

See full release notes on verinice.com.

Code name: Great Barrier Island

Detail changes

• Double output of VDA ISA Controls for documents linked in the ISM perspective in the report templates "Information Security Assessment compact/detailed" fixed.
• In the report "A.4 Grundschutz-Check" the implementation date is now also output if no person is linked.
• If a valid licence is available, the unencrypted control texts are displayed in the web frontend.
• The mail configuration has been extended for MSA-compliant mail dispatch.
• The settings for StartTLS have been added to the configuration file veriniceserver-plain.properties.

Bug fixes

• Fixed an error when importing multiple scopes at the same time.
• Fix a bug with recurring CSV import with activated option Delete objects in verinice.
• Fixed selecting a template file in the view Report filing.
• Execution of the function Integrate (removal of Source-ID and Ext-ID) on objects locked for users without write access.
• Correction of incorrectly implemented function Expand All in folder Imported Objects.
• Normalisation of strings to avoid problems with special characters (Combined Diaresis) in verinice (Content, Report queries and Reports).
• Catch error when consolidating blocks if hazards are linked with the same identifier.
• Removed superfluous tag Risk for the checkbox Derive from measure for requirements in modernised IT-Grundschutz.
• Links in the welcome screen on macOS can be called up again.
• The creation of duplicate permissions is now intercepted.
• The account view now shows changes to objects immediately (refresh).
• Correction of the reference to the download of the IT-Grundschutz compendium in the tutorial.
• Update of the tutorial for the consolidator in IT-Grundschutz.
• Missing German translation in tutorial 3.2 Risk management based on ISO 27005 added.
• Reset of perspectives in case of missing view corrected.
• Fixed an error that in some cases prevented navigating back to the root object.

Security Release 1.22.2

See full release notes on verinice.com.

The verinice.TEAM closes a security gap with this. Updating to the new version is strongly recommended for security reasons.

Users of the verinice.PRO server should install the available RPM packages from the customer repository using the known update procedure.

Users of the verinice standalone version will be prompted to install the updated version at startup. If the automatic update mechanism has been disabled by the user, the update can be triggered manually using the following menu item: Help -> Check for Updates

Vulnerability description

A vulnerability in the communication between the client and server components can be used to execute arbitrary code on the server. The prerequisite for exploiting the vulnerability is completed authentication with an account on the verinice.PRO server, with or without admin privileges. Without such an account, the vulnerability cannot be exploited.

• CVE-2021-36981
• Affected Versions: All versions of verinice and verinice.PRO prior to 1.22.2.

verinice uses Java serialization for communication between client and server components. Frank Nusko of Secianus GmbH has found that the mechanism and framework used are vulnerable to exploits that can be used to execute arbitrary code on the server component.

Since the server component is also used in the standalone mode of verinice, the vulnerability could theoretically be used to attack the standalone client as well. In the attack, arbitrary commands can be executed on the same machine, but with the rights and context of the verinice client. This second attack variant has not been verified by us, but as a precaution, we still recommend all users of the standalone client to install the available patch as well.

The vulnerability can be exploited to gain access to the underlying operating system, modify files, delete files and read information, including all data in the verinice database.

A detailed description of the vulnerability can be found here: verinice.com/cve-2021-36981