Kibana Security CVE - Building 8.9.0 docker distributable

breno.andrade · December 15, 2023, 3:41am

Hi there,
Due to a security fault, I need to patchback this Kibana 8.11.1 fix:

[Security Solution] Remove Logs (#171119)

committed 08:15PM - 13 Nov 23 UTC

## Summary Remove endpoint metadata task logs ### Checklist Delete any …items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

The product is already shipped and we can't upversion to 8.11.1 at this moment so we want to manage our own Kibana 8.9.0 build with this fix.
The issue is that when I try to run yarn kbn boostrap and then yarn build as per Building a Kibana distributable | Kibana Guide [master] | Elastic I'm getting this GPG-KEY mismatch error:

│ERROR failure 1 min 5 sec
    │ERROR Error: Failed to copy @kbn/fleet-plugin into the build: Error downloading Elastic GPG key from https://artifacts.elastic.co/GPG-KEY-elasticsearch to /home/breno-andrade/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
    │          at downloadElasticGpgKey (download_elastic_gpg_key.ts:36:11)
    │          at runMicrotasks (<anonymous>)
    │          at processTicksAndRejections (node:internal/process/task_queues:96:5)
    │          at async Promise.all (index 1)
    │          at fleetBuildTasks (index.ts:16:3)
    │          at build_packages_task.ts:303:13

Does anyone know how I could handle this approach to get my own Kibana 8.9.0 build?

dadoonet · December 15, 2023, 8:30am

I don't have the answer but why not upgrading the whole cluster to the most secured version 8.11?

It contains more security patches than this single one IIRC.

breno.andrade · December 15, 2023, 10:57am

Because there are other dependencies from our product we can't upgrade right away.

breno.andrade · December 15, 2023, 6:17pm

Well, anyway... I figured it out by myself. The issue is under

src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
and
src/dev/build/tasks/patch_native_modules_task.ts

I had to manage this property:

skipChecksumCheck: true

under the await downloadToDisk() for both files.

Dallas_Toth · December 21, 2023, 9:09pm

I hit this same issue. I am building a 8.8.0 version of Kibana using Gitlab CICD and had the same

debg [3/3] Attempting download of https://artifacts.elastic.co/GPG-KEY-elasticsearch sha512
   │ debg Downloaded 1794 bytes to /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch
   │ debg Download failed: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
   │ debg Deleting downloaded data at /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch
   │ERROR failure 1 min 42 sec
   │ERROR Error: Failed to copy @kbn/fleet-plugin into the build: Error downloading Elastic GPG key from https://artifacts.elastic.co/GPG-KEY-elasticsearch to /builds/koat/KOAT-Kibana/build/kibana/x-pack/plugins/fleet/target/keys/GPG-KEY-elasticsearch: Downloaded checksum 62a567354286deb02baf5fc6b82ddf6c7067898723463da9ae65b132b8c6d6f064b2874e390885682376228eed166c1c82fe7f11f6c9a69f0c157029c548fa3d does not match the expected sha512 checksum.
   │          at downloadElasticGpgKey (download_elastic_gpg_key.ts:36:11)
   │          at processTicksAndRejections (node:internal/process/task_queues:96:5)
   │          at async Promise.all (index 1)
   │          at fleetBuildTasks (index.ts:16:3)
   │          at build_packages_task.ts:303:13

breno.andrade · December 21, 2023, 9:33pm

So you may modify/fill in the property skipChecksumCheck: true in the downloadToDisk() method I mentioned for both:

src/dev/build/tasks/fleet/download_elastic_gpg_key.ts
src/dev/build/tasks/patch_native_modules_task.ts

It should work out for your build pipeline.

system · January 18, 2024, 9:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.