Elastic Stack 7.17.4 and 8.2.1 Security Update

Elastic Stack update for CVE-2022-21449 Java vulnerability in Elliptic Curve Digital Signature Algorithm ECDSA ESA-2022-06 A vulnerability CVE-2022-21449 affecting the implementation of Elliptic Curve Digital Signing Algorithm ECDSA based signatures verification in Java JDK versions 15 and later...

Kibana 7.17.3 and 8.1.3 Security Update

Kibana Exposure of Sensitive Information ESA-2022-05 A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch...

Elastic Stack 7.17.1 Security Update

Elasticsearch privilege escalation issue ESA-2022-02 A flaw was discovered in elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “” index permissions access to this...

Kibana 7.17.0 Security Update

Kibana Cross-site scripting issue ESA-2022-01 An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users. Affected...

Logstash 5.0.0-6.8.20 and 7.0.0-7.16.0: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Note — These instructions only apply if you are running Logstash 5.0.0 - 6.8.20, or 7.0.0 - 7.16.0. If you are running an older version of Logstash, or a version of Logstash = 6.8.21 in the 6.x series or = 7.16.1 in the 7.x series, these instructions do not apply. Please follow the guidance in ma...

Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Note — If you are not running Elasticsearch 5.0.0-5.6.10 or 6.0.0-6.3.2, these instructions do not apply. Please follow the guidance in themain announcement. Instructions for removing JndiLookup from the log4j-core JAR file​ These instructions only apply to users running Elasticsearch versions...

Apache Log4j2 Remote Code Execution (RCE) Vulnerability - CVE-2021-44228 - ESA-2021-31

Subject: Apache Log4j2 Vulnerability - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 - ESA-2021-31 ​​Note - We will update this announcement with new details as they emerge from our analysis. Please check back periodically. Update Log Dec 16, 2021 - 04:20 UTC - Update Summary: EC...

APM Java Agent Security Update

APM Java Agent Local Privilege Escalation issue ESA-2021-30 A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at...

Enterprise Search 7.16.0 Security Update

Enterprise Search Information Disclosure issue ESA-2021-28 An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the...

APM Java Agent Security Update

APM Java Agent Local Privilege Escalation issue ESA-2021-29 A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account...

Kibana 7.15.2 Security Update

Kibana Path Traversal issue ESA-2021-26 It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the...

Elastic Stack 7.14.1 Security Update

Kibana code execution issue ESA-2021-21 It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana...

Elastic Stack 7.14.0 Security Update

Elasticsearch Document/Field Level Security issue ESA-2021-18 A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. Affected...

Elastic Cloud Enterprise security update

Elastic Cloud Enterprise security update ESA-2021-17 Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker...

Elasticsearch 7.13.4 Security Update

Elasticsearch memory disclosure issue ESA-2021-16 A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing...

Elasticsearch 7.13.3 and 6.8.17 Security Update

Elasticsearch Denial of Service issue ESA-2021-15 An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that wi...

Elastic APM .NET Agent 1.10.0 Security Update

Elastic APM .NET Agent information disclosure ESA-2021-14 The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM serve...

Elastic Stack 7.13.0 and 6.8.16 Security Update

Kibana url redirection flaw ESA-2021-12 An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. Affected Versions: All versions of Kibana before 7.13....

7.12.1 Security Update

Kibana denial of service issue ESA-2021-10 A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailab...

Elastic Stack 7.12.0 and 6.8.15 Security Update

Elasticsearch Suggester & Profile API information disclosure flaw ESA-2021-06 A document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document leve...

Elastic Stack 7.11.0 Security Update

Elasticsearch field disclosure flaw ESA-2021-05 A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have...

Elastic Stack 7.11.0 and 6.8.14 Security Update

Elasticsearch information disclosure ESA-2021-03 Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emitrequestbody option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or...

Elastic APM Agent for Go 1.11.0 Security Update

Elastic APM Agent for Go information disclosure ESA-2021-02 The Elastic APM agent for Go can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM...

Elasticsearch 7.10.2 Security Update

Elasticsearch authorization-header storage issue ESA-2021-01 An information disclosure flaw was found in the Elasticsearch async search API. Users who execute an async search will store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive reques...

Beats 7.10.1 Security Update

Beats Denial of Service issue ESA-2020-16 A denial of service flaw when parsing malformed TLS public keys was discovered in Go, the language used to implement Beats. If Beats is configured to listen for Syslog over TLS, or if Beats is making outbound connections over HTTPS, a remote attacker coul...

Elastic Stack 7.9.3 and 6.8.13 Security Update

Elasticsearch field disclosure flaw ESA-2020-13 A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the...

Enterprise Search 7.9.0 security update

Enterprise Search credential exposure flaw ESA-2020-11 Elastic Enterprise Search versions before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ‘developer’ role, they will be able to view the administrator API credentials. These credentials could allo...

Elastic Stack 7.9.0 and 6.8.12 Security Update

Elasticsearch field disclosure flaw ESA-2020-12 A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This...

Elastic Stack 6.8.11 and 7.8.1 security update

Kibana regular expression denial of service flaw ESA-2020-09 Kibana versions before 6.8.11 and 7.8.1 contain a denial of service DoS flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming...

Elastic Stack 7.7.1 and 6.8.10 Security Update

Kibana cross site scripting XSS issue ESA-2020-08 The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users wh...

Elastic Stack 6.8.9 and 7.7.0 security update

Kibana upgrade assistant prototype pollution flaw ESA-2020-05 Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to...

Enterprise Search 7.7.0 security update

Elastic App Search Cross Site Scripting flaw ESA-2020-04 Elastic App Search versions before 7.7.0 contain a cross site scripting XSS flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacke...

Elastic Cloud on Kubernetes 1.1.0 security update

Elastic Cloud on Kubernetes insecure password generation ESA-2020-03 Elastic Cloud on Kubernetes ECK versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more...

Elastic Stack 6.8.8 and 7.6.2 security update

Elasticsearch API key privilege escalation ESA-2020-02 Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API ke...

Elastic Stack 6.8.7 and 7.6.1 security update

Kibana Node.js security flaws ESA-2020-01 The version of Node.js shipped in all versions of Kibana prior to 7.6.1 and 6.8.7 contain three security flaws. CVE-2019-15604 describes a Denial of Service DoS flaw in the TLS handling code of Node.js. Successful exploitation of this flaw could result in...

Elastic Stack 6.8.6 and 7.5.1 security update

Kibana XSS ESA-2019-17 Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting XSS flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that...

Elastic Stack 7.5.0 security update

Metricbeat and Filebeat DSA public key panic ESA-2019-15 A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat are configured to accept incoming TLS connections with client authentication enabled, a...

Elastic Stack 7.4.1 security update

Logstash Beats input denial of service flaw ESA-2019-14 A denial of service flaw was found in the Logstash beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop...

Elastic Stack 6.8.4 security update

Elasticsearch username disclosure flaw ESA-2019-13 A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. Affected Versions The following...

Elastic Stack 7.4.0 security update

Elastic Code local file disclosure flaw ESA-2019-12 A local file disclosure flaw was found in Elastic Code. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana...

Elastic APM agent for Python 5.1.0 security update

Elastic APM agent for Python client CGI proxy redirection flaw ESA-2019-11 When the Elastic APM agent for Python is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a prox...

Elastic Stack 6.8.2 and 7.2.1 security update

Elasticsearch race condition flaw ESA-2019-07 A race condition flaw was found in the response headers Elasticsearch returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from...

Elastic APM agent for Ruby 2.9.0 security update

Elastic APM agent for Ruby client authentication flaw ESA-2019-08 A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the ‘servercacert’ setting, the Ruby agent would not properly verify the certifica...

Elastic Stack 6.6.2 and 5.6.16 security update

Winlogbeat insufficient logging issue ESA-2019-06 Nate Guagenti @ neu5ron, solutions engineer with Perched Inc. reported an issue in Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbea...

Elastic Stack 6.6.1 and 5.6.15 security update

Kibana XSS issue ESA-2019-01 Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting XSS vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Affected Versions Kibana versions before 5.6.15 and...

Elastic Stack 6.5.2 security update

Elasticsearch information disclosure ESA-2018-19 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s findfilestructure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a...

Elastic Stack 6.4.3 and 5.6.13 security update

Elasticsearch information disclosure ESA-2018-16 Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same...

Elastic Stack 6.4.1 and 5.6.12 security update

Kibana XSS issue ESA-2018-14 Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting XSS vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Affected Versions Versions afte...

Elastic Cloud Enterprise 1.1.4 security update

Elastic Cloud Enterprise use of shared encryption key ESA-2018-09 In Elastic Cloud Enterprise ECE versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable...

Elastic Stack 6.3.0 and 5.6.10 Security Update

Elasticsearch Information Exposure Vulnerability ESA-2018-10 In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the snapshot API. When the accesskey and securitykey parameters are set using the snapshot API they can be exposed as plain text by users able to query the...