Arch Linux Security Advisory ASA-201902-26

Severity: High
Date : 2019-02-25
CVE-ID : CVE-2019-7608 CVE-2019-7609 CVE-2019-7610
Package : kibana
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-911

Summary

The package kibana before version 6.6.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution

Upgrade to 6.6.1-1.

pacman -Syu “kibana>=6.6.1-1”

The problems have been fixed upstream in version 6.6.1.

Workaround

None.

Description

• CVE-2019-7608 (information disclosure)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting
(XSS) vulnerability that could allow an attacker to obtain sensitive
information from, or perform destructive actions on behalf of, other
Kibana users.

• CVE-2019-7609 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the Timelion visualizer. An attacker with access to
the Timelion application could send a request that will attempt to
execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on
the host system.

• CVE-2019-7610 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the security audit logger. If a Kibana instance has
the setting xpack.security.audit.enabled set to true, an attacker could
send a request that will attempt to execute javascript code. This could
possibly lead to an attacker executing arbitrary commands with
permissions of the Kibana process on the host system.

Impact

An authenticated malicious user can disclose sensitive information or
execute arbitrary code.

References

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7608
https://security.archlinux.org/CVE-2019-7609
https://security.archlinux.org/CVE-2019-7610