Kibana 5.5.2 and 4.6.5 security update

(Josh Bressers) #1

Kibana markdown parser Cross Site Scripting (XSS) error (ESA-2017-16)

Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions: All prior to 5.5.2 and 4.6.5

Solutions and Mitigations:
Users should upgrade to Kibana version 5.5.2 or 4.6.5.

Reporting impersonation error (ESA-2017-17)

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

Affected Versions: All prior to 5.5.2 and 2.4.6

Solutions and Mitigations:
Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.

CVE ID: CVE-2017-8446