X-Pack Security 5.6.0 and 5.5.3 security update

X-Pack Security permission issue ESA-2017-18 An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. Previously if a user had bulk...

Kibana 5.5.2 and 4.6.5 security update

Kibana markdown parser Cross Site Scripting XSS error ESA-2017-16 Kibana versions prior to 5.5.2 had a cross-site scripting XSS vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users...

Protect your data from ransom attacks

I wanted to bring attention to two blog posts we have done recently in response to the recent set of data ransom attacks affecting Elasticsearch and other systems. The two are: For Elasticsearch: Protecting Against Attacks that Hold Your Data for Ransom For Kibana: Guarding Kibana from Data...

Kibana 4.4.2, 4.3.3, 4.1.6 - Updated node.js versions due to upstream vulnerabilities

Same deal as last month, but we've bumped all 3 version to node v4.3.2 to cover security issues in node.js. You can read their maintenance announcement here: https://nodejs.org/en/blog/release/v4.3.2/ Check out the blog post with release notes or grab the latest version...

Kibana Cross-site Request Forgery CVE-2015-8131

CVE: CVE-2015-8131 Affected versions: All versions up to and including 4.1.2 and 4.2.0. The vulnerability is a cross-site request forgery CSRF or XSRF that could allow an attacker to read and write changes to the .kibana index or gain read and write access to Kibana plugin actions. Remediation: A...

Elasticsearch remote code execution CVE-2015-5377

Summary Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253. Deployments are vulnerable even when Groovy dynamic scripting is disabled. We have...

Kibana Cross-Site Scripting Vulnerability CVE-2015-4093

Summary: Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting XSS attack. The attack allows execution of arbitrary JavaScript in the context of the user’s browser. We have been assigned CVE-2015-4093 for this issue. Fixed versions: Version 4.0.3 has addressed the...

Elasticsearch Engineered Attack Vulnerability CVE-2015-4165

Summary: Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to...

Elasticsearch 8.13.0 / 7.17.19 Security Update (ESA-2024-06)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-06 A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. Affected Versions: Elasticsearch versions on or after 7.0.0 and...

Kibana 8.11.2, 7.17.16 Security Update (ESA-2023-27)

Kibana Insertion of Sensitive Information into Log File ESA-2023-27 An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which...

Fleet Server v8.10.3 Security Update

Fleet Server Insertion of Sensitive Information into Log File ESA-2023-20 An issue was discovered in Fleet Server = v8.10.0 and = v8.10.0 and v8.10.3 Solutions and Mitigations: If an affected version is being utilized then upgrade to Fleet Server v8.10.3 or above. If there are ephemeral container...

Elastic Cloud on Kubernetes (ECK) 2.8 Security Update

Elastic Cloud on Kubernetes ECK secret token configuration issue ESA-2023-11 Secret token configuration is never applied when using ECK =8.0. This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment. Affected Versions: Elastic Cloud on...

Elasticsearch 8.9.1 / 7.17.13 Security Update

Elasticsearch StackOverflow vulnerability ESA-2023-14 A flaw was discovered in Elasticsearch, affecting the search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. Affected Versions: Elasticsearch versions from 7.0.0 to 7.17.12 and fr...

Elastic Cloud Enterprise (ECE) 2.13.3, 3.3.0 Security Update

ECE Denial of Service DoS issue ESA-2023-09 A denial of service vulnerability was discovered in ECE that could lead to the ECE Admin API server becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in...

Endpoint Security 8.4.0/7.17.7 and Endgame 3.62.3 Security Update

Elastic Endpoint Security Local Privilege Escalation issue ESA-2022-13 An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. Affected...

Elastic Stack 7.14.1 Security Update

Kibana code execution issue ESA-2021-21 It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana...

Enterprise Search 7.9.0 security update

Enterprise Search credential exposure flaw ESA-2020-11 Elastic Enterprise Search versions before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ‘developer’ role, they will be able to view the administrator API credentials. These credentials could allo...

Elastic Stack 7.5.0 security update

Metricbeat and Filebeat DSA public key panic ESA-2019-15 A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat are configured to accept incoming TLS connections with client authentication enabled, a...

Elastic Stack 6.1.2 and 5.6.6 security update

Logstash sensitive information disclosure issue ESA-2018-01 When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information. Affected Versions All versions before 6.1.2 and 5.6.6 Solutions and Mitigations: Users should upgrade to Logstash version 6.1.2 ...

X-Pack Alerting and Kibana 5.6.1 security update

X-Pack alerting privileged user multiple issues An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. Affected Versions: 5.0.0 to 5.6.0 Solutions and Mitigations...

X-Pack Security 5.5.2 security update

X-Pack Security TLS certificate verification error ESA-2017-15 An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node...

Elastic Stack 5.5 Security update

Elasticsearch X-Pack Security user credentials disclosure ESA-2017-10 Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as...

Elastic Stack 5.4.1 and 5.3.3 Security updates

X-Pack 5.4.1 privilege escalation ESA-2017-06 X-Pack 5.4.1 has been released which fixes a privilege escalation bug in the runas functionality. This bug prevents transitioning into the specified user specified in a runas request. If a role has been created using a template that contains the user...

Kibana 5.0.2 released with a fix for improper authentication

With X-Pack installed, operations in the Advanced Settings panel of the Management tab and operations from the short URL service were performed as the "Kibana Server" user regardless of the user that is currently authenticated. As a result, a user that was defined as read-only could make changes ...

Logstash 5.0.1 released with a security patch

Hi all, we would like to announce that Logstash 5.0.1 has been released with an important security patch. Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. We advise our users using Logstash and...

Kibana 4.6.2 released with a security fix for an XSS vulnerability

Today, we've published Kibana 4.6.2 as a security release with a fix for an XSS vulnerability with field formatters. Any users of Kibana versions 4.3 to 4.6 are encouraged to update to 4.6.2 immediately. Kibana version 4.1.11 is not affected. Kibana installs on Elastic Cloud have been updated...

Logstash 2.3.2 Vulnerability with Netflow codec plugin

Hi all, we've published ESA-2016-06 for a vulnerability in netflow codec plugin for Logstash 2.3.2. Thanks to Jorrit Folmer maintainer of netflow codec for reporting and fixing this issue. Details below: Vulnerability Summary: In Logstash versions prior to 2.3.3, when using the Netflow Codec...

Logstash 2.3.3 Elasticsearch Output Vulnerability

Hi all, we would like to announce a security vulnerability we discovered in our testing. Logstash 2.3.4 has been released with a patch to fix this. Issue Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information...

Logstash 2.2.1 Elasticsearch Output Vulnerability

Logstash version 2.2.1 is vulnerable to a man in the middle attack when used with Elasticsearch output. In version 2.2.1, the config which enables SSL/TLS default has been disabled inadvertently, so a malicious user could access payload data sent via HTTP during the initial handshake. This has be...

Kibana 4.4.1, 4.3.2, 4.1.5 - Updated node.js versions due to upstream vulnerabilities

Summary: The bundled versions of node.js in Kibana contain HTTP-related security vulnerabilities. Fixed versions of node.js were recently released. For the original node.js security announcement, see https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ Fixed versions: Kibana...

Logstash CSV Output Vulnerability - CVE pending

Summary: Logstash 2.2 and prior versions are vulnerable to a formula based injection, when using the CSV output plugin. This plugin allows users to export data in comma separated values and is susceptible to an attack if the values contained a spreadsheet formula. This vulnerability is not presen...

Elasticsearch Security Statement regarding CVE-2022-1471

Elasticsearch is not affected by this issue. Elasticsearch is not affected by the issue described in CVE-2022-1471 as, in general, it does not use Snakeyaml to parse YAML. Summary Elasticsearch supports YAML as a format for search queries, and it also uses YAML for its configuration files i.e...

Beats 7.10.1 Security Update

Beats Denial of Service issue ESA-2020-16 A denial of service flaw when parsing malformed TLS public keys was discovered in Go, the language used to implement Beats. If Beats is configured to listen for Syslog over TLS, or if Beats is making outbound connections over HTTPS, a remote attacker coul...

Kibana 4.x XSS -- CVE pending

Summary Kibana versions up to and including 4.3.0, 4.2.1, and 4.1.3 are vulnerable to a cross-site scripting XSS attack. The attack allows execution of arbitrary JavaScript in the context of the user’s browser. We have requested a CVE number and will update our forum post and website when the...

Kibana 3.1.3

We've identified two content sanitation issues in Kibana 3. While these are low impact and difficult to trigger we're releasing Kibana 3.1.3 to correct them: https://www.elastic.co/downloads/past-releases/kibana-3-1-3...

About the Security Announcements category

Security announcements for the Elastic stack. To report a security vulnerability, please follow the instructions on ourSecurity Issues page. Posting to this category is restricted to staff only...

Elastic Stack 5.5.1 and Kibana 4.6.5 security update

Kibana Node.js security flaw ESA-2017-14 The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests...