=================================================================== CERT-Renater Note d'Information No. 2023/VULN190 _____________________________________________________________________ DATE : 05/05/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Kibana version prior to 8.7.1, Elastic Stack version prior to 8.7.0, 7.17.10 . ====================================================================https://discuss.elastic.co/t/kibana-8-7-1-security-updates/332330 https://discuss.elastic.co/t/elastic-stack-8-7-0-7-17-10-security-updates/332327 _____________________________________________________________________ Kibana 8.7.1 Security Updates Announcements Security Announcements docker Bryan_Garcia (Bryan Garcia) May 2, 2023, 4:08pm 1 Kibana arbitrary code execution (ESA-2023-07) Kibana contains an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. This issue does not affect Kibana instances running on Elastic Cloud as the payload required to trigger this vulnerability cannot be set in Kibana’s configuration. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana versions 8.0.0 to 8.7.0 Solutions and Mitigations: Users are suggested to upgrade to 8.7.1 CVSSv3:8.2(High) - AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2023-31414 Kibana arbitrary code execution (ESA-2023-08) Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. This issue affects Kibana instances running on Elastic Cloud but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana version 8.7.0. No other versions are affected. Solutions and Mitigations: Upgrade to Kibana version 8.7.1 CVSSv3: 9.9(Critical) - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2023-31415 _____________________________________________________________________ Elastic Stack 8.7.0, 7.17.10 Security Updates Bryan_Garcia (Bryan Garcia) Filebeat Information Exposure (ESA-2023-04) A flaw was discovered in the Filebeat httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled. Affected Versions: All filebeat versions through 7.17.9 and 8.6.2 Solutions and Mitigations: The issue is resolved in versions 8.7.0, and 7.17.10 CVSSv3: 5.5(Medium) - AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2023-31413 Kibana Cross-Site Scripting (ESA-2023-05) A flaw (CVE-2023-26486) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana. Affected Versions: Kibana versions 7.9.0 to 7.17.9 and Kibana versions 8.0.0 to 8.6.2 Solutions and Mitigations: The issue is resolved in versions 7.17.10 and 8.7.0 If you are unable to upgrade and are on Kibana versions >= 8.3.0, the XSS can be mitigated by setting csp.disableUnsafeEval: true in your kibana.yml file. Note that this setting is in technical preview until Kibana 8.7.0, after which it is enabled by default. CVSSv3: 6.1(Medium) - AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2023-26486 Kibana Cross-Site Scripting (ESA-2023-06) A flaw (CVE-2023-26487) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana. Affected Versions: Kibana versions 7.17.4 to 7.17.9 and Kibana versions 8.2.0 to 8.6.2 Solutions and Mitigations: The issue is resolved in versions 7.17.10 and 8.7.0 If you are unable to upgrade and are on Kibana versions >= 8.3.0, the XSS can be mitigated by setting csp.disableUnsafeEval: true in your kibana.yml file. Note that this setting is in technical preview until Kibana 8.7.0, after which it is enabled by default. CVSSv3: 6.1(Medium) - AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2023-26487 ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================