X-Pack alerting privileged user multiple issues
An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.
Affected Versions: 5.0.0 to 5.6.0
Solutions and Mitigations:
Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.
Users mapped to the built-in “watcher_admin” or “machine_learning_admin” roles, or any other role to which the “manage_ml” or “manage_watcher” cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.
CVE ID: CVE-2017-8448
Kibana Timelion Cross Site Scripting (XSS) error (ESA-2017-20)
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions: 5.0.0 to 5.6.0
Solutions and Mitigations:
Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.
CVE ID: CVE-2017-11479