I would like to propose a workaround to mitigate CVE-2018-17245 which:
- Does not require a Kibana (and in turn also Elasticsearch) upgrade.
- Does not require to disable reporting altogether using
xpack.reporting.enabled
.
It works by blocking outgoing connections from the Kibana user to the Internet on the server where Kibana is running. Example iptables script:
iptables -F OUTPUT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -j REJECT
ip6tables -F OUTPUT
ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -j REJECT
Feel free to give feedback on this.
Ref: https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability
Ref: https://github.com/elastic/kibana/pull/24177