Elastic Stack 7.5.0 security update

Metricbeat and Filebeat DSA public key panic (ESA-2019-15)

A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat are configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause the Beat to stop processing events.

Affected Versions
All versions of Metricbeat and Filebeat before 7.5.0.

Solutions and Mitigations
Users should upgrade to Metricbeat and Filebeat 7.5.0.

We are unable to upgrade Metricbeat and Filebeat 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.

The Filebeat syslog input and Metricbeat graphite and httpd modules could be vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.

CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2019-17596


APM Server DSA public key panic (ESA-2019-16)

A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement APM Server. If APM Server is configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause APM Server to stop processing events.

Affected Versions
All versions of APM Server before 7.5.0.

Solutions and Mitigations
Users should upgrade to APM Server 7.5.0.

We are unable to upgrade APM server version 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.

The APM server is vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.

CVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2019-17596