# OSSEC 4.0.0 Release Notes

[atomicturtle]

Release Maintainers

• Dan Parriott
• Scott R. Shinn (Atomicorp)

Contributors on this release

• @atomicturtle

---

Release Notes

Major security and stability release addressing critical memory safety issues and modernizing cryptographic implementations. This release includes fixes for multiple heap use-after-free (UAF) vulnerabilities, uncontrolled recursion in XML parsing, and implementation of secure random number generation for agent key creation. Additionally, file integrity monitoring has been modernized with SHA-256 support, and several external dependencies have been updated to their latest stable versions.

⚠️ Breaking Changes

Warning

AES Encryption Now Default for Agent Communication

OSSEC 4.0.0 agents now use AES encryption by default for agent-server communication. This is NOT backwards compatible with OSSEC 3.8.0 and older servers.

Migration Options:

1. Upgrade servers first (recommended): Update all OSSEC servers to 4.0.0 before upgrading agents.
2. Use legacy Blowfish encryption on 4.0.0 agents: Add the following to your agent's ossec.conf:

   <client>
     <crypto_method>blowfish</crypto_method>
   </client>

Configuration Changes

• SHA-256 File Integrity Monitoring: SHA-256 is now enabled by default for all monitored directories. No configuration changes are required for new installs.
• To disable SHA-256 (if needed for compatibility):

  <syscheck>
    <directories check_sha256sum="no">/etc</directories>
  </syscheck>

🔒 Security Fixes

• Critical Memory Safety: Fix critical UAF bug in memory leak fix (Issue CVE-2020-8447: analysisd: OS_ReadMSG heap use-after-free decoding syscheck msgs. #1818) - PR 2178
• Heap UAF: Fix Issue CVE-2020-8444: analysisd: OS_ReadMSG heap use-after-free with ossec-alert msgs. #1817: Heap UAF in OSSEC Alert decoder with leak-free Eventinfo refactor - PR 2177
• Recursion Fix: Fix uncontrolled recursion in os_xml _ReadElem (Issue os_xml _ReadElem() - Uncontrolled recursion vulnerability leading to DoS (SIGSEGV) #1953) - PR 2175
• Secure RNG: Implement secure RNG for agent key generation using OpenSSL RAND_bytes - PR 2167

General Fixes & Improvements

• FIM Modernization: SHA-256 integration and safe buffer handling - PR 2166
• Lua Update: Update Lua to version 5.4.7 - PR 2165
• zlib Update: Update zlib to version 1.3.1 - PR 2164
• cJSON Update: Update cJSON to version 1.7.18 - PR 2163
• Windows Builds: Build fixes for Windows - PR 2162
• Packaging: Add RPM spec file - PR 2147
• Agent Auth: Handle SSL EOF condition in agent-auth - PR 2146
• Performance: Ignore ENOENT in OS_RemoveCounter to prevent benign error messages - PR 2171
• Stability: Improve logcollector crash fix to check read function pointer (Issue ossec-logcollector segfaults with no logs to collect #2156) - PR 2168
• Testing: Improve error message in ossec-testrule for missing rule matches (Issue Better error message for "ossec-testrule: currently_rule not set!" #2093) - PR 2170
• CLI: Fix help/version argument exit codes - PR 2174
• Bugfix: Fix for Issue ossec-analysisd segfault when alert_new_files is enabled #2056 in syscheck decoder - PR 2173
• Code Quality: Clean up redundant NULL checks in report filter function (Issue will be always true due to checking above. #2133) - PR 2169

---

This discussion was created from the release # OSSEC 4.0.0 Release Notes.