Elastic Stack 7.11.0 and 6.8.14 Security Update

Elasticsearch information disclosure (ESA-2021-03)

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

Affected Versions:

All versions of Elasticsearch before 7.10.0 and 6.8.14 are affected by this flaw

Solutions and Mitigations:

Anyone using audit logging with the xpack.security.audit.logfile.events.emit_request_body enabled should upgrade to Elasticsearch version 7.10.0 or 6.8.14. This issue can be worked around by disabling the emit_request_body option in the elasticsearch.yml file.

CVSSv3 - 1.9: AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

CVE ID: CVE-2020-7021

Kibana visualization XSS (ESA-2021-04)

The Kibana “Vega” visualization type is susceptible to both stored and reflected XSS via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser.

Affected Versions:

All versions of Kibana before 7.10.2 and 6.8.14 are affected by this flaw

Solutions and Mitigations:

Users should upgrade to Kibana version 7.10.2 or 6.8.14. Users unable to upgrade can disable Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file.

CVSSv3 - 8.7: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVE ID: CVE-2020-26296