Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector (ESA-2024-27)
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload.
This issue only affects users that use Elastic Security’s built-in AI tools and have configured an Amazon Bedrock connector.
Affected Versions:
Kibana version 8.15.0.
Solutions and Mitigations:
Users should upgrade to version 8.15.1.
For Users that Cannot Upgrade:
Customers who cannot upgrade to 8.15.1 and must stay on 8.15.0 can disable the integration assistant by setting xpack.integration_assistant.enabled: false in their kibana.yml configuration file.
Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2024-37288
Kibana arbitrary code execution via YAML deserialization (ESA-2024-28)
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload.
A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges and Kibana privileges assigned to them.
The following Elasticsearch indices permissions are required
writeprivilege on the system indices.kibana_ingest*- The
allow_restricted_indicesflag is set totrue
Any of the following Kibana privileges are additionally required
- Under
FleettheAllprivilege is granted - Under
IntegrationtheReadorAllprivilege is granted - Access to the
fleet-setupprivilege is gained through the Fleet Server’s service account token
Affected Versions:
Kibana versions 8.10.0 to 8.15.0.
Solutions and Mitigations:
Users should upgrade to version 8.15.1.
CVSS v3.1: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2024-37285