X-Pack 5.4.1 privilege escalation (ESA-2017-06)
X-Pack 5.4.1 has been released which fixes a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.
Generally when using the run as functionality a user will transition to a different user. This bug will cause the role query to execute as the user which authenticated to Elasticsearch, not the user specified via run as. This could result in a query returning incorrect or unexpected results.
If you are not using run_as functionality or the _user properties you are not affected by this issue.
Affected versions
X-Pack Security 5.0.0 to 5.4.0 is affected by this flaw
Solution and Mitigations
If you are affected by this issue, we suggest you upgrade your Elastic Stack to version 5.4.1
If you are unable to upgrade, removing use of the {{_user.username}} placeholder and ensuring the run_as setting cannot be modified by untrusted users is a valid solution.
CVE ID: CVE-2017-8438
Kibana 5.4.1 Cross Site Scripting (ESA-2017-07)
Kibana 5.4.1 has been released which fixes a cross site scripting bug in the Time Series Visual Builder. This bug could allow an attacker to construct a visualization in such a way that when viewed by another Kibana user could leak sensitive information from or perform destructive actions on behalf of the Kibana user.
Affected versions
Kibana 5.4.0 is affected by this flaw
Solution and Mitigations
We strongly advise users to update to Kibana version 5.4.1.
If you are unable to upgrade at this time, the Time Series Visual Builder can be disabled by adding ‘metrics.enabled: false’ to your kibana.yml configuration file. Note that this will trigger an optimize cycle when you next start Kibana.
CVE ID: CVE-2017-8439
Kibana 5.4.1 and 5.3.3 Cross Site Scripting (ESA-2017-08)
Kibana 5.4.1 and 5.3.3 have been released which fix a cross site scripting bug in the Discover page. An attacker who is able to insert arbitrary data into elasticsearch that when viewed by another Kibana user on the Discover page could leak sensitive information from or perform destructive actions on behalf of the Kibana user.
Affected versions
Kibana versions between 5.3.0 and 5.4.0 are affected by this flaw
Solution and Mitigations
We strongly advise users to update to Kibana version 5.4.1 or 5.3.3.
CVE ID: CVE-2017-8440
Elastic would like to thank Thomas Gøytil for reporting this issue.
X-Pack 5.4.1 and 5.3.3 improper DLS alias enforcement (ESA-2017-09)
X-Pack 5.4.1 and 5.3.3 have been released with a fix for a bug in the way Document Level Security is applied to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.
Affected versions
X-Pack Security 5.0.0 to 5.4.0 is affected by this flaw
Solution and Mitigations
If you are affected by this issue, we suggest you upgrade your Elastic Stack to version 5.4.1 or 5.3.3.
If you are unable to upgrade, the shard request cache can be disabled for indices that use aliases. Instructions to disable the request cache can be found here
CVE ID: CVE-2017-8441