Elastic Stack 6.4.3 and 5.6.13 security update

Elasticsearch information disclosure (ESA-2018-16)

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

Affected Versions
Elasticsearch Security versions 6.4.0, 6.4.1, and 6.4.2

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.4.3.

If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.

CVE ID: CVE-2018-17244


Kibana credential exposure (ESA-2018-17)

Yuri Astrakhan and Nick Peihl of Elastic discovered Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.

Affected Versions
Kibana versions 4.6 to 6.4.2 and 5.6.12

Solutions and Mitigations
Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13

Users unable to upgrade can disable the Reporting feature in Kibana by setting xpack.reporting.enabled to false in the kibana.yml file. This does not prevent previously leaked credentials from being reused.

For more information about mitigating from this flaw please see our blog post.

CVE ID: CVE-2018-17245


Kibana arbitrary file inclusion (ESA-2018-18)

Nethanel Coppenhagen of CyberArk Labs discovered Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Versions
Kibana versions after 5.0

Solutions and Mitigations
Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13

Users unable to upgrade can disable the Kibana Console plugin. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file.

CVE ID: CVE-2018-17246