Kibana Node.js - JavaScript run-time environment is affected by multiple vulnerabilities

San9 · March 28, 2024, 9:56am

After scanning it was discovered that
Solution:
Upgrade to Node.js version 18.19.1 / 20.11.1 / 21.6.2 or later.

Path : /usr/share/kibana/node/bin/node
Installed version : 18.18.2
Fixed version : 18.19.1

The version of Node.js installed on the remote host is prior to 18.19.1, 20.11.1, 21.6.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Wednesday February 14 2024 Security Releases advisory.

  - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges. Impacts: Thank you, to Tobias Nieen for reporting this vulnerability and     for fixing it. (CVE-2024-21892)
....

In which version of Kibana will the vulnerability be fixed and is it planned to do so? Thank you.

Marco_Liberati · March 28, 2024, 4:01pm

Hi @San9

I can see that latest Kibana 8.12.2 and 8,.13 are using safe versions f Node.js .
You can upgrade to those versions.

San9 · March 29, 2024, 10:34am

I’m currently using version 8.12.2, but the problem remains, I thought it would be fixed in 8.12.2.

Marco_Liberati · March 29, 2024, 11:10am

sorry, my mistake.
Kibana 8.12.2 is using a version who is still below Node.js 18.19.x .
Kibana 8.13 uses a safe version.

San9 · March 29, 2024, 4:05pm

Thank you. Then we will update the cluster to the latest version 8.13

system · April 26, 2024, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.