Kibana 7.17.8 and 8.5.0 Security Update

Update Log

2022-12-23: Updated impact section with additional details.
2023-01-09: Updated impact section to include RHEL
2023-01-23: Updated impact section with additional details. Updated Solutions and Mitigations section with new mitigation option. Updated Affected Versions section.

Kibana reporting vulnerability (ESA-2022-12)

A type confusion vulnerability (CVE-2022-1364) was discovered in the headless Chromium browser that Kibana relies on for its reporting capabilities. The vulnerability in Chromium is not exploitable on its own but could be exploited via an additional cross-site scripting (XSS) vulnerability in some of affected versions of Kibana with the worst impact being remote code execution (RCE) with an attacker executing arbitrary commands with permissions of the Kibana process.

This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL).

This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.

This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).

Affected Versions:

The Chromium vulnerability affects Kibana versions 7.0.0 through 7.17.7 and 8.0.0 through 8.4.3.
Kibana versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3 are affected by a previously disclosed XSS vulnerability (ESA-2022-08) that could be used to exploit the Chromium vulnerability in order to achieve RCE. Additionally, we are aware of a 0-day XSS vulnerability in one of Kibana’s dependencies that is currently under embargo (i.e. the third-party has not publicly disclosed the issue and a fix is not available) that could also be used to exploit the Chromium vulnerability in order to achieve RCE.

Kibana Versions Chromium Vulnerability Kibana XSS Third-Party Vulnerability Combined exploitability
7.0.0 through 7.17.4 Exists and is publicly released (CVE-2022-1364) Exists and is publicly released (CVE-2022-23713) Exploitable
8.0.0 through 8.2.3 Exists and is publicly released (CVE-2022-1364) Exists and is publicly released (CVE-2022-23713) Exploitable
7.17.4 through 7.17.8 Exists and is publicly released (CVE-2022-1364) Exists but is currently under embargo and a fix has not been released. Exploitable
8.3.0 through 8.4.3 Exists and is publicly released (CVE-2022-1364) Exists but is currently under embargo and unfixable. Exploitable
7.17.8 and later No exploitable vulnerability Exists but is currently under embargo and a fix has not been released. NOT Exploitable
8.5.0 and later No exploitable vulnerability Exists but is currently under embargo and a fix has not been released. NOT Exploitable

Solutions and Mitigations:

The issue is fixed in Kibana versions 8.5.0 and 7.17.8.

If you are unable to upgrade, you can:

  • Disable Kibana reporting functionality completely with xpack.reporting.enabled: false in your kibana.yml file
  • Kibana versions >= 8.3.0 can mitigate the undisclosed XSS by setting csp.disableUnsafeEval: true in your kibana.yml file (this setting is still in technical preview)

CVSSv3.1: 8.5 (High) AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2022-1364

3 Likes