Kibana 7.17.3 and 8.1.3 Security Update

Kibana Exposure of Sensitive Information (ESA-2022-05)

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information.

The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring.

The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.

Affected Versions:

The exposure of Elastic Stack monitoring information affects Versions 7.8.0 through 7.17.2 & 8.0.0 through 8.1.2.

The exposure of other application-internal information affects Versions 7.2.1 through 7.17.2 & 8.0.0 through 8.1.2

This includes user-managed Elastic Cloud Enterprise (ECE) and Elastic Cloud on Kubernetes (ECK) deployments.

Not Affected:

  • Elastic Cloud services deployments are not affected.
  • Stack Monitoring users are not affected by the Stack monitoring issue if they have not overridden the default Elasticsearch credentials in order to opt into a specialized remote Kibana configuration

Solutions and Mitigations:

The issue is resolved in versions 7.17.3 and 8.1.3.

For Stack Monitoring users that cannot upgrade to the fixed versions, we recommend removing the monitoring settings, monitoring.ui.Elasticsearch.*, from the configuration of the remote Kibana instance until the remote Kibana instance is upgraded. These users can still safely access the Stack Monitoring UI through the Kibana instance that is directly attached to the monitoring Elasticsearch cluster.

Severity Rating:

Stack Monitoring data exposure: High (8.2) CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Other application-internal information: Low (0.0) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N

CVE ID:

CVE-2022-23711