=====================================================================

                                CERT-Renater

                     Note d'Information No. 2022/VULN482

_____________________________________________________________________

DATE                : 22/12/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions 8.5.0, 7.17.8.

=====================================================================
https://discuss.elastic.co/t/7-17-8-8-5-0-security-update/320920
_____________________________________________________________________


Kibana reporting vulnerability (ESA-2022-12)

A type confusion vulnerability was discovered in the headless
Chromium browser that Kibana relies on for its reporting capabilities.

This issue affects only on-premises Kibana installations on host
Operating Systems where Chromium sandbox is disabled 37
(only CentOS, Debian).

This issue does not affect Elastic Cloud, as the Chromium sandbox is
enabled by default and cannot be disabled.

This issue does not affect Elastic Cloud Enterprise.


Affected Versions:

Kibana versions 7.0.0 through 7.17.7 and 8.0.0 through 8.4.3


Solutions and Mitigations:

The issue is fixed in Kibana versions 8.5.0 and 7.17.8.

If you are unable to upgrade, you can:

Disable Kibana reporting functionality completely with
xpack.reporting.enabled: false in your kibana.yml file

CVSSv3.1: 8.8 (High) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID: CVE-2022-1364

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================