Elastic Stack 8.7.0, 7.17.10 Security Updates

Filebeat Information Exposure (ESA-2023-04)

A flaw was discovered in the Filebeat httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled.

Affected Versions:

All filebeat versions through 7.17.9 and 8.6.2

Solutions and Mitigations:

The issue is resolved in versions 8.7.0, and 7.17.10

CVSSv3: 5.5(Medium) - AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID: CVE-2023-31413


Kibana Cross-Site Scripting (ESA-2023-05)

A flaw (CVE-2023-26486) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana.

Affected Versions:

Kibana versions 7.9.0 to 7.17.9 and Kibana versions 8.0.0 to 8.6.2

Solutions and Mitigations:

The issue is resolved in versions 7.17.10 and 8.7.0

If you are unable to upgrade and are on Kibana versions >= 8.3.0, the XSS can be mitigated by setting csp.disableUnsafeEval: true in your kibana.yml file. Note that this setting is in technical preview until Kibana 8.7.0, after which it is enabled by default.

CVSSv3: 6.1(Medium) - AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVE ID: CVE-2023-26486


Kibana Cross-Site Scripting (ESA-2023-06)

A flaw (CVE-2023-26487) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana.

Affected Versions:
Kibana versions 7.17.4 to 7.17.9 and Kibana versions 8.2.0 to 8.6.2

Solutions and Mitigations:
The issue is resolved in versions 7.17.10 and 8.7.0

If you are unable to upgrade and are on Kibana versions >= 8.3.0, the XSS can be mitigated by setting csp.disableUnsafeEval: true in your kibana.yml file. Note that this setting is in technical preview until Kibana 8.7.0, after which it is enabled by default.

CVSSv3: 6.1(Medium) - AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE ID: CVE-2023-26487