Kibana RCE due to chromium type confusion (ESA-2024-17)
On March 26, 2024, a type confusion vulnerability was found in WebAssembly in Google Chrome version prior to 123.0.6312.86 which allows a remote attacker to execute arbitrary code via a crafted HTML page.
Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release.
This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL).
This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.
This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).
Affected Versions:
Kibana version 7.17.21 and Kibana 8.13.x versions prior to 8.14.0.
Solutions and Mitigations:
Users should upgrade to versions 7.17.22 and 8.14.0
For users that cannot upgrade, users can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: xpack.reporting.enabled: false
If users rely on CSV reports may want an option to only disable the screenshot-based reports. The setting for that is:
xpack.reporting.pdf.enabled: false
xpack.reporting.png.enabled: false
Severity: CVSSv3: 9.9 (Critical) - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/CR:M/IR:M/AR:M
CVE ID: CVE-2024-2887