====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN248
_____________________________________________________________________

DATE                : 28/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to 7.12.1.

=====================================================================
https://discuss.elastic.co/t/7-12-1-security-update/271433
_____________________________________________________________________


7.12.1 Security Update
Announcements Security Announcements
douglasday (Douglas Day) April 27, 2021, 7:28pm #1


Kibana denial of service issue (ESA-2021-10)

A denial of service vulnerability was found in the Kibana webhook
actions due to a lack of timeout or a limit on the request size. An
attacker with permissions to create webhook actions could drain the
Kibana host connection pool, making Kibana unavailable for all other
users.


Thank you to Dominic Couture for this finding.


Affected Versions:

All versions of Kibana prior to 7.12.1


Solutions and Mitigations:

Customers should upgrade to version 7.12.1 or above

CVSSv3: 4.9 - AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2021-22139



App Search XML External Entity Injection issue (ESA-2021-11)

An XML External Entity Injection issue (XXE) was found in the App Search
web crawler beta feature. Using this vector, an attacker whose website
is being crawled by App Search could craft a malicious sitemap.xml to
traverse the filesystem of the host running the instance and obtain
sensitive files.

Thank you to Dominic Couture for this finding.


Affected Versions:

Versions 7.11 to 7.12


Solutions and Mitigations:

Customers that are utilizing the App Search web crawler should upgrade
to 7.12.1 or above


CVSSv3: 9.3 - AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVE ID: CVE-2021-22140


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================