Elastic Stack 6.8.2 and 7.2.1 security update

Elasticsearch race condition flaw (ESA-2019-07)
A race condition flaw was found in the response headers Elasticsearch returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.

Affected Versions
Elasticsearch versions before 7.2.1 and 6.8.2

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. There is no workaround for this issue.

CVSSv3: 2.0 - AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2019-7614


Kibana graphite Server Side Request Forgery flaw (ESA-2019-09)
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.

Kibana now includes a timelion.graphiteUrls option that allows administrator to whitelist valid graphite URLs in the kibana.yml file.

Thanks to Braden Hollembaek of Salesforce for reporting this issue.

Affected Versions
Kibana versions before 7.2.1 and 6.8.2

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.

CVSSv3: 3.4 - AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
CVE ID: CVE-2019-7616


Kibana lodash prototype pollution flaw (ESA-2019-10)
A prototype pollution flaw exists in lodash, a component used by KIbana. An attacker with access to Kibana may be able to use this lodash flaw to unexpectedly modify internal Kibana data. Prototype pollution can be leveraged to execute a cross-site-scripting (XSS), denial of service (DoS), or Remote Code Execution attack against Kibana. No exploitable vectors in Kibana have been identified at the time of publishing.

Affected Versions
Kibana versions before 7.2.1 and 6.8.2

Solutions and Mitigations:
Users should upgrade to Kibana version 7.2.1 or 6.8.2. There is no workaround for this issue.

CVSSv3: 6.2 - AV:A/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
CVE ID: CVE-2019-10744