Elastic Stack 5.5.1 and Kibana 4.6.5 security update


(Josh Bressers) #1

Kibana Node.js security flaw (ESA-2017-14)

The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests.

Affected Versions
All versions before 5.5.1 and 4.6.5

Solutions and Mitigations:
Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.

CVE ID: CVE-2017-11499