X-Pack Alerting and Kibana 5.6.1 security update


(Josh Bressers) #1

X-Pack alerting privileged user multiple issues

An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.

Affected Versions: 5.0.0 to 5.6.0

Solutions and Mitigations:
Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.

Users mapped to the built-in “watcher_admin” or “machine_learning_admin” roles, or any other role to which the “manage_ml” or “manage_watcher” cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.

CVE ID: CVE-2017-8448


Kibana Timelion Cross Site Scripting (XSS) error (ESA-2017-20)

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions: 5.0.0 to 5.6.0

Solutions and Mitigations:
Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.

CVE ID: CVE-2017-11479