Elasticsearch privilege escalation issue (ESA-2022-02)
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
Affected Versions:
Versions 7.16.0 through 7.17.0.
Solutions and Mitigations:
Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.
CVSSv3:
6.8 (Medium) - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE ID:
CVE-2022-23708
Kibana missing authorization issue (ESA-2022-03)
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
Affected Versions:
Versions 7.7.0 through 7.17.0, and 8.0.0.
Solutions and Mitigations:
The issue is fixed in 7.17.1, 8.01, and 8.1.0.
As mitigation, users on affected versions can avoid granting users Read access to the Uptime feature if they should not be able to otherwise create/modify alerts, and avoid using the built-in Viewer role.
CVSSv3:
4.3 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID:
CVE-2022-23709
Kibana cross-site-scripting (XSS) issue (ESA-2022-04)
A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.
Affected Versions:
For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2
For Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0.
Solutions and Mitigations:
This issue is fixed in 7.17.1, 8.0.1, and 8.1.0.
As mitigation, users on affected versions can avoid granting users All access to the Index Pattern Management and Saved Object Management features if they should not be able to otherwise create/modify index patterns. Note: index patterns are called data views starting in 8.0.
CVSSv3:
5.4 (Medium) - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVE ID:
CVE-2022-23710