Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN286

_____________________________________________________________________

DATE                : 07/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to 8.17.6,
                                       8.18.1, 9.0.1.

=====================================================================
https://discuss.elastic.co/t/kibana-8-17-6-8-18-1-or-9-0-1-security-update-esa-2025-07/377868
_____________________________________________________________________


Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07)
Announcements Security Announcements
ismisepaul (Paul) May 6, 2025, 4:29pm 1

Kibana arbitrary code execution via prototype pollution (ESA-2025-07)
A Prototype pollution vulnerability in Kibana leads to arbitrary code
execution via crafted HTTP requests to machine learning and
reporting endpoints.


Affected Versions:
8.3.0 to 8.17.5, and 8.18.0, and 9.0.0


Affected Configurations:
Self-hosted and Elastic Cloud deployments with both Kibana’s Machine
Learning and Reporting features enabled.


Solutions and Mitigations:
Users should upgrade to version 8.17.6, 8.18.1, or 9.0.1.

For Users that Cannot Upgrade:
Users who cannot upgrade should disable either Machine Learning OR
Reporting.

    Disable Machine Learning:
    The Machine Learning feature can be disabled for both self-hosted
and Elastic Cloud deployments by adding xpack.ml.enabled: false to
the kibana.yml file.
    Alternatively, self-hosted users can disable just the anomaly
detection feature by adding xpack.ml.ad.enabled: false to the
kibana.yml file.

OR

    Disable Reporting:
    The Reporting feature can be disabled for both self-hosted and
Elastic Cloud deployments by adding xpack.reporting.enabled:
false to the kibana.yml file.

Severity: CVSSv3.1: 9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-25014

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================