Kibana XSS issue (ESA-2019-01)
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions
Kibana versions before 5.6.15 and 6.6.1
Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15
CVE ID: CVE-2019-7608
Kibana Timelion Remote Code Execution issue (ESA-2019-02)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Affected Versions
Kibana versions before 5.6.15 and 6.6.1
Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
CVE ID: CVE-2019-7609
Kibana audit logging Remote Code Execution issue (ESA-2019-03)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Affected Versions
Kibana versions before 5.6.15 and 6.6.1
Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file.
CVE ID: CVE-2019-7610
Elasticsearch improper permission issue when attaching a new name to an index (ESA-2019-04)
A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Affected Versions
Elasticsearch Security versions before 5.6.15 and 6.6.1
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15. Users unable to upgrade can change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true.
CVE ID: CVE-2019-7611
Logstash sensitive data disclosure issue (ESA-2019-05)
A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Affected Versions
Logstash versions before 6.6.1 and 5.6.15
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15
CVE ID: CVE-2019-7612