Elastic Stack 6.1.2 and 5.6.6 security update


(Josh Bressers) #1

Logstash sensitive information disclosure issue (ESA-2018-01)
When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information.

Affected Versions
All versions before 6.1.2 and 5.6.6

Solutions and Mitigations:
Users should upgrade to Logstash version 6.1.2 or 5.6.6. If you are unable to upgrade you should review your settings to ensure no deprecated settings are used in your environment.

CVE ID: CVE-2018-3817


Kibana XSS issue (ESA-2018-02)
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions
Versions 5.1.1 to 6.1.2 and 5.6.6

Solutions and Mitigations:
Users should upgrade to Kibana version 6.1.2 or 5.6.6. There are no known workarounds for this issue.

CVE ID: CVE-2018-3818