Security Announcements, RSS, Versions

Exploring the Security Issues page and have some suggestions:

  1. Can you add columns for versions affected, instead of burying it different ways in the text? The actual announcements cover this (mostly) but it's very hard to scan the main list to see if it applies to my systems. Best would be a set of ranges, like 6.0.0-6.5.2 & 7.1.1-7.3.4 (because it's easy to scan and later we can use programmatically).

  2. Can you add a Table of Contents at the top, so it's easy to jump to products I care about, as it's a very long and painful list today, in random order.

  3. Can you sort the Products in alpha order, as today it's LS, ES, Kibana, Beats, Cloud, APM - that’s kinda random and confusing.

  4. It'd be nice if one could filter the list. Even better to put in your version/product and get list.

  5. In an awesome world there’d be a public API where we can report product & version and get list of any existing ESAs/CVEs.

  6. The RSS is nice, but is that available in JSON anywhere, which, once you add from-to version fields, can be processed automatically, such as in DevOps at build/container time to check for vulnerabilities.

Thanks - Steve

Welcome @Steve_Mushero!

Thank you for your thoughts. I sent it internally to see if/what can be done.

Stay tuned.

Hi @Steve_Mushero,

I appreciate the feedback.

We are working on a project as we speak to tackle the challenges you lay out. It is going to take some time however. The plan is to publish all of our advisories in ECS format (this will also require some modifications to ECS), then allow the JSON to be downloaded as well as having a much nicer looking advisory page.

I will capture your feedback and add it to our requirements.

--
Josh Bressers
Elastic Product Security

1 Like

Thanks - also please link your vulnerability list to your update list - very confusing right now and hard to link or find.

Also, the naming and ways to link manually are hard. For example, ESA-2019-13 covers both v6 and v7 but the update announcement (one of 10-20 in 2019) is named "Elastic Stack 6.8.4 security update" but actually also updates to V7.4 - would be quite confusing if i was on V7.x - update also includes Logstash on a separate ESA, which is not in the title and not the same version in the title, either.

Oh, there is another release announcement for the 7.4 release, but tied to a different ESA, though includes a secondary reference to the above one. I kinda get it, but confusing. Not sure how to improve other than clear separate updates per product and major version, which I suspect is how customers think about it. Your CVEs are good in this way; for this item (CVE-2019-7619), they link to both updates, which was the only way I could find them.

Overall, thanks - we are linking / bundling this info in our soon-to-be-released ELK Manager product, so trying to get it right and make it easy to update.

And related to this, the CVSS Scores on these don't agree for the same CVE - either a mistake or it was updated after creation, or another issue - a couple others I checked did match (though you don't list scores on most announcements):

CVE: 2019-7619:

3.7 - Elastic Stack 6.8.4 security update
CVSSv3: 3.7 - AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 - https://nvd.nist.gov/vuln/detail/CVE-2019-7619#vulnCurrentDescriptionTitle
CVSS:3.1:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.