Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN221

_____________________________________________________________________

DATE                : 09/04/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to
                                       8.17.2.

=====================================================================
https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918
https://discuss.elastic.co/t/kibana-7-17-23-and-8-15-1-security-update-esa-2024-36/376923
_____________________________________________________________________

Kibana Prototype Pollution can lead to code injection (ESA-2025-02)

Prototype Pollution in Kibana can lead to code injection via
unrestricted file upload combined with path traversal.


Affected Versions:
Kibana version 8.16.1 up to and including 8.17.1


Solutions and Mitigations:
Users should upgrade to version 8.16.4 and 8.17.2 or higher

For Users that cannot upgrade:
Customers who cannot upgrade to 8.16.4 or 8.17.2 and must stay on
8.16.1 can disable the integration assistant by setting
xpack.integration_assistant.enabled: false in their kibana.yml
configuration file.

Severity: 8.7(High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVE ID: CVE-2024-12556

_____________________________________________________________________

Bryan_Garcia
Elastic Team Member


Kibana Uncontrolled Resource Consumption vulnerability (ESA-2024-36)

An issue has been identified where a specially crafted request sent to
an Observability API could cause the kibana server to crash.

A successful attack requires a malicious user to have read permissions
for Observability assigned to them.


Affected Versions:
Kibana versions 7.17.0 to 7.17.22 and versions 8.0.0 to 8.15.0.


Solutions and Mitigations:
Users should upgrade to version 8.15.1 or higher.


Severity: CVSS v3.1: 6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID: CVE-2024-52974



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================