[ASA-201902-26] kibana: multiple issues

2019-02-25T00:00:00
ID ASA-201902-26
Type archlinux
Reporter ArchLinux
Modified 2019-02-25T00:00:00

Description

Arch Linux Security Advisory ASA-201902-26

Severity: High Date : 2019-02-25 CVE-ID : CVE-2019-7608 CVE-2019-7609 CVE-2019-7610 Package : kibana Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-911

Summary

The package kibana before version 6.6.1-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure.

Resolution

Upgrade to 6.6.1-1.

pacman -Syu "kibana>=6.6.1-1"

The problems have been fixed upstream in version 6.6.1.

Workaround

None.

Description

  • CVE-2019-7608 (information disclosure)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from, or perform destructive actions on behalf of, other Kibana users.

  • CVE-2019-7609 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

  • CVE-2019-7610 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Impact

An authenticated malicious user can disclose sensitive information or execute arbitrary code.

References

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 https://security.archlinux.org/CVE-2019-7608 https://security.archlinux.org/CVE-2019-7609 https://security.archlinux.org/CVE-2019-7610