Elastic Stack 6.4.1 and 5.6.12 security update


(Josh Bressers) #1

Kibana XSS issue (ESA-2018-14)

Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions
Versions after 5.3.0 and before 6.4.1 or 5.6.12

Solutions and Mitigations
Users should upgrade to Kibana version 6.4.1 or 5.6.12. There are no known workarounds for this issue.

CVE ID: CVE-2018-3830


Elasticsearch information disclosure (ESA-2018-15)

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

Affected Versions
Elasticsearch version before 6.4.1 or 5.6.12

Solutions and Mitigations
Users should upgrade to Elasticsearch version 6.4.1 or 5.6.12. There are no known workarounds for this issue.

CVE ID: CVE-2018-3831