Kibana Security CVE - Building 8.9.0 docker distributable

Hi there,
Due to a security fault, I need to patchback this Kibana 8.11.1 fix:

The product is already shipped and we can't upversion to 8.11.1 at this moment so we want to manage our own Kibana 8.9.0 build with this fix.
The issue is that when I try to run yarn kbn boostrap and then yarn build as per Building a Kibana distributable | Kibana Guide [master] | Elastic I'm getting this GPG-KEY mismatch error:

│ERROR failure 1 min 5 sec
    │ERROR Error: Failed to copy @kbn/fleet-plugin into the build: Error downloading Elastic GPG key from https://artifacts.elastic.co/GPG-KEY-elasticsearch to /home/breno-andrade/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
    │          at downloadElasticGpgKey (download_elastic_gpg_key.ts:36:11)
    │          at runMicrotasks (<anonymous>)
    │          at processTicksAndRejections (node:internal/process/task_queues:96:5)
    │          at async Promise.all (index 1)
    │          at fleetBuildTasks (index.ts:16:3)
    │          at build_packages_task.ts:303:13

Does anyone know how I could handle this approach to get my own Kibana 8.9.0 build?

I don't have the answer but why not upgrading the whole cluster to the most secured version 8.11?

It contains more security patches than this single one IIRC.

Because there are other dependencies from our product we can't upgrade right away.

Well, anyway... I figured it out by myself. The issue is under

src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
and
src/dev/build/tasks/patch_native_modules_task.ts

I had to manage this property:

skipChecksumCheck: true

under the await downloadToDisk() for both files.

1 Like

I hit this same issue. I am building a 8.8.0 version of Kibana using Gitlab CICD and had the same

debg [3/3] Attempting download of https://artifacts.elastic.co/GPG-KEY-elasticsearch sha512
   │ debg Downloaded 1794 bytes to /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch
   │ debg Download failed: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
   │ debg Deleting downloaded data at /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch
   │ERROR failure 1 min 42 sec
   │ERROR Error: Failed to copy @kbn/fleet-plugin into the build: Error downloading Elastic GPG key from https://artifacts.elastic.co/GPG-KEY-elasticsearch to /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
   │          at downloadElasticGpgKey (download_elastic_gpg_key.ts:36:11)
   │          at processTicksAndRejections (node:internal/process/task_queues:96:5)
   │          at async Promise.all (index 1)
   │          at fleetBuildTasks (index.ts:16:3)
   │          at build_packages_task.ts:303:13

So you may modify/fill in the property skipChecksumCheck: true in the downloadToDisk() method I mentioned for both:

src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
src/dev/build/tasks/patch_native_modules_task.ts

It should work out for your build pipeline.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.