Workaround for Kibana Reporting Vulnerability ESA-2018-17 (CVE-2018-17245)

I would like to propose a workaround to mitigate CVE-2018-17245 which:

• Does not require a Kibana (and in turn also Elasticsearch) upgrade.
• Does not require to disable reporting altogether using xpack.reporting.enabled.

It works by blocking outgoing connections from the Kibana user to the Internet on the server where Kibana is running. Example iptables script:

iptables -F OUTPUT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -j REJECT

ip6tables -F OUTPUT
ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -j REJECT

Feel free to give feedback on this.

Ref: https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability
Ref: https://github.com/elastic/kibana/pull/24177

Hi Robin, thank you for suggesting this workaround. Can you open this as a Github issue, perhaps with [Discuss] in the title, so our security team can take a look and provide feedback?

Thanks! Done: https://github.com/elastic/kibana/issues/25579
I improved the example by ensuring that IPv6 is also covered.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.