Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN400
_____________________________________________________________________

DATE                : 26/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kibana versions prior to 7.17.29,
                              8.17.8, 8.18.3, 9.0.3.

=====================================================================
https://discuss.elastic.co/t/kibana-7-17-29-8-17-8-8-18-3-9-0-3-security-update-esa-2025-09/379443
https://discuss.elastic.co/t/kibana-7-17-29-8-17-8-8-18-3-9-0-3-security-update-esa-2025-10/379444
_____________________________________________________________________


Kibana Heap Corruption via Crafted HTML Page due to Chromium Type
Confusion (ESA-2025-09)

On March 10, 2025, Google announced CVE-2025-2135, which can lead
to heap corruption via a crafted HTML page through a Type Confusion
vulnerability.

Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and
including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0
up to and including 9.0.2


Affected Configurations:
Self-hosted and Elastic Cloud Kibana instances where PDF or PNG
reporting is used. CSV reporting is not impacted. Serverless
projects are not impacted.


Solutions and Mitigations:
Users should upgrade to version 7.17.29, 8.17.8, or 8.18.3, or
9.0.3.

For Users that Cannot Upgrade:

Self-hosted

    Disable Reporting:
    The Reporting feature can be disabled by adding
xpack.reporting.enabled: false to the kibana.yml file.

OR

    Limit access to users who can generate PDF/PNG reports to
trusted accounts:
        8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
        9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

OR

    Configure reporting with a restrictive network policy, to
prevent unauthorized redirection to an attacker-controlled site:
    If a network policy is configured.

    Note: if a network policy is configured, then you must
include a rule which allows Chromium to connect to Kibana for
report generation to succeed. Typically, Chromium will connect
to Kibana on a local interface, but may be different based on
the environment and your specific headless browser connection
settings.


# kibana.yml
xpack.screenshotting.networkPolicy:
  rules: [ { allow: true, host: "localhost:5601" } ]

Cloud
On Elastic Cloud the code execution is limited within the
Kibana Docker container. Further exploitation such as container
escape is prevented by seccomp-bpf and AppArmor profiles.
With these counter-measures the risk is reduced.

Users who cannot upgrade can choose to take a precautionary
measure by

    Disabling the Reporting feature for Elastic Cloud deployments.
This can be achieved by modifying the Kibana user settings to
include the following configuration:

    xpack.reporting.enabled: false

    Instructions for editing Kibana user settings on Elastic Cloud
are available at
https://www.elastic.co/docs/deploy-manage/deploy/elastic-cloud/edit-stack-settings#kibana-settings

OR

    Limit access to users who can generate PDF/PNG reports to
trusted accounts:
    a. 8.x: https://www.elastic.co/guide/en/kibana/8.18/reporting-settings-kb.html#reporting-advanced-settings
    b. 9.x: https://www.elastic.co/docs/deploy-manage/kibana-reporting-configuration#grant-user-access

Severity: CVSSv3.1: 9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE ID: CVE-2025-2135


_____________________________________________________________________


Kibana Open Redirect (ESA-2025-10)

URL redirection to an untrusted site ('Open Redirect') in Kibana can
lead to sending a user to an arbitrary site and server-side request
forgery via a specially crafted URL.

Affected Versions:
Kibana versions up to and including 7.17.28, 8.0.0 up to and including
8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and
including 9.0.2

Affected Configurations:
Kibana installations making use of Short URLs within the Discover,
Dashboard, and Visualization Library features.

Solutions and Mitigations:
The issue is resolved in version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3.

For Users that Cannot Upgrade:

Self-hosted
Installations with a Basic license should have administrators restrict
access to Kibana features which grant the ability to generate Short
URLs:

    Dashboard => All
    Discover => All
    Visualize =>All
    Saved Objects Management => All
    Top-level “All” privilege granted to one or more spaces

Installations with a Gold, Platinum, or Enterprise license can restrict
access to short-url creation via sub-feature privileges within the
Dashboard, Discover, and Visualize features above. This will allow
administrators to continue allowing read/write access to the
aforementioned features, but restrict the ability to generate Short
URLs.


Cloud
Administrators should restrict access to Kibana features which grant
the ability to generate Short URLs:

    Dashboard => All
    Discover => All
    Visualize =>All
    Saved Objects Management => All
    Top-level “All” privilege granted to one or more spaces

Administrators can optionally restrict access to short-url creation
via sub-feature privileges within the Dashboard, Discover, and
Visualize features above. This will permit read/write access to
the aforementioned features, but restrict the ability to generate
Short URLs.

Severity: CVSSv3.1: 4.3 (Medium) -
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID: CVE-2025-25012


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================