Kibana heap buffer overflow vulnerability (ESA-2024-04)
This issue requires authenticated access to Kibana.
On Dec 21, 2023, Google Chrome announced CVE-2023-7024, described as “Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability.
This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL).
This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.
This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.
This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).
Affected Versions:
Kibana versions up to 7.17.17 and up to version 8.12.0.
Solutions and Mitigations:
Users should upgrade to version 8.12.1 or 7.17.18
If you are unable to upgrade, you can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: xpack.reporting.enabled: false
Severity: CVSSv3: 9.9(Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2023-7024