Elastic 8.3.1, 8.3.0, and 7.17.5 Security Update

Kibana cross-site-scripting (XSS) issue (ESA-2022-08)

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.

Affected Versions:

Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3

Solutions and Mitigations:

The issue is fixed in versions 8.3.0 and 7.17.5.

If you are unable to upgrade, you can select to disable Vega visualizations :

  • For on premise installations, you can set vis_type_vega.enabled: false (or vega.enabled: false for Kibana versions older than 7.7.0) in kibana.yml file.
  • For Elastic Cloud services deployments, you can reach out to Elastic Support

CVSSv3:
6.4 (Medium) - AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE ID: CVE-2022-23713


Endpoint Security Local Privilege Escalation issue (ESA-2022-09)

A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

Affected Versions:

Versions 7.13.0 through 7.17.4 and 8.0.0 through 8.2.3

Solutions and Mitigations:

An artifact update was distributed to all internet connected endpoints which disables the vulnerable feature ("Endpoint.policy.applied.artifacts.global.version" version 1.0.324+). However, 7.14+ enterprise and platinum Endpoints remain affected if the cloud update hasn’t been received and ransomware protection is enabled. The cloud update occurs 5 minutes after installation if the update server can be reached.

The vulnerability is resolved in versions 8.3.0 and 7.17.5 where the vulnerable feature is disabled out of the box without requiring the artifact update. A workaround for endpoints unable to update or connect to the artifact update server is to disable the vulnerable feature manually by setting the “windows.advanced.ransomware.canary” advanced policy option to false.

A future version will include a fix for the vulnerability and will re-enable the canaries component of the ransomware protection feature. In the meantime, Elastic Security is confident that its layered approach to protections provides high efficacy against ransomware threats without requiring the canary feature.

CVSSv3:
7.0 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2022-23714

1 Like