Elastic Stack 6.8.9 and 7.7.0 security update

Kibana upgrade assistant prototype pollution flaw (ESA-2020-05)

Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Affected Versions
All versions of Kibana from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2

Solutions and Mitigations
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable the Upgrade Assistant using the instructions below.

Upgrade Assistant can be disabled by setting the following options in Kibana:

Kibana versions 6.7.0 and 6.7.1 can set ‘upgrade_assistant.enabled: false’ in the kibana.yml file

Kibana versions starting with 6.7.2 can set ‘xpack.upgrade_assistant.enabled: false’ in the kibana.yml file

This flaw is mitigated by default in all Elastic Cloud Kibana versions.

CVSSv3: 6.6 - AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7012


Kibana TSVB prototype pollution flaw (ESA-2020-06)

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB . An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Affected Versions
All versions of Kibana before 7.7.0 and 6.8.9

Solutions and Mitigations
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable TSVB by setting "metrics.enabled: false" in the kibana.yml file.

This flaw is mitigated by default in all Elastic Cloud Kibana versions.

CVSSv3: 6.6 - AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7013


Elasticsearch authentication API key privilege escalation (ESA-2020-07)

The fix for ESA-2020-02 (CVE-2020-7009) was found to be incomplete.

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

Affected Versions
All versions from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 are vulnerable to this issue.

Solutions and Mitigations
Users should upgrade to Elasticsearch version 7.7.0 or 6.8.9. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.

CVSSv3: 6.4 - AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7014

1 Like