Elastic Stack 5.4.3 Security update


(Josh Bressers) #1

Kibana X-Pack Security user credentials disclosure (ESA-2017-11)

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.

Affected versions
Kibana X-Pack security prior to version 5.4.3

Solution and Mitigations
We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability. Kibana users concerned with this issue should upgrade to version 5.4.3 or later.

CVE ID: CVE-2017-8443