Elastic Stack 6.2.4 and 5.6.9 security update

X-Pack Machine Learning XSS vulnerability ESA-2018-06 X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting XSS vulnerability. Users with manageml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to...

Elastic Stack 6.2.3 security update

X-Pack Security SAML vulnerability ESA-2018-07 X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allow...

Elastic Stack 6.1.3 and 5.6.7 security update

Kibana incomplete fix for ESA-2017-23 ESA-2018-03 The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitra...

Elastic Stack 6.1.2 and 5.6.6 security update

Logstash sensitive information disclosure issue ESA-2018-01 When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information. Affected Versions All versions before 6.1.2 and 5.6.6 Solutions and Mitigations: Users should upgrade to Logstash version 6.1.2 ...

Kibana 6.1.1 security update

Kibana arbitrary code execution issue ESA-2017-24 Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the...

Kibana 6.0.1 and 5.6.5 security update

Kibana cross site scripting issue ESA-2017-22 Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting XSS vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Affected Versions: A...

Beats 5.6.4 security update

Packetbeat denial of service ESA-2017-21 Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could...

X-Pack Alerting and Kibana 5.6.1 security update

X-Pack alerting privileged user multiple issues An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. Affected Versions: 5.0.0 to 5.6.0 Solutions and Mitigations...

Elastic Cloud Enterprise 1.0.2 security update

Elastic Cloud Enterprise unsecured communication ESA-2017-13 The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle MITM the traffic between the client-forwarder and ZooKeeper they could...

X-Pack Security 5.6.0 and 5.5.3 security update

X-Pack Security permission issue ESA-2017-18 An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. Previously if a user had bulk...

X-Pack Security 5.5.2 security update

X-Pack Security TLS certificate verification error ESA-2017-15 An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node...

Kibana 5.5.2 and 4.6.5 security update

Kibana markdown parser Cross Site Scripting XSS error ESA-2017-16 Kibana versions prior to 5.5.2 had a cross-site scripting XSS vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users...

Elastic Stack 5.5.1 and Kibana 4.6.5 security update

Kibana Node.js security flaw ESA-2017-14 The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests...

Elastic Stack 5.5 Security update

Elasticsearch X-Pack Security user credentials disclosure ESA-2017-10 Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as...

Elastic Stack 5.4.3 Security update

Kibana X-Pack Security user credentials disclosure ESA-2017-11 In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the...

Elastic Stack 5.4.1 and 5.3.3 Security updates

X-Pack 5.4.1 privilege escalation ESA-2017-06 X-Pack 5.4.1 has been released which fixes a privilege escalation bug in the runas functionality. This bug prevents transitioning into the specified user specified in a runas request. If a role has been created using a template that contains the user...

Protect your data from ransom attacks

I wanted to bring attention to two blog posts we have done recently in response to the recent set of data ransom attacks affecting Elasticsearch and other systems. The two are: For Elasticsearch: Protecting Against Attacks that Hold Your Data for Ransom For Kibana: Guarding Kibana from Data...

Kibana 5.0.2 released with a fix for improper authentication

With X-Pack installed, operations in the Advanced Settings panel of the Management tab and operations from the short URL service were performed as the "Kibana Server" user regardless of the user that is currently authenticated. As a result, a user that was defined as read-only could make changes ...

Logstash 5.0.1 released with a security patch

Hi all, we would like to announce that Logstash 5.0.1 has been released with an important security patch. Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. We advise our users using Logstash and...

Kibana 5.0.1 and 4.6.3 released with a fix for an open redirect vulnerability

Kibana versions 5.0.1 and 4.6.3 fix an open redirect vulnerability in the short URL feature that would allow an attacker to create a redirect from the Kibana domain to a different website. We’ve assigned this vulnerability the identifier ESA-2016-08. Thank you to the GE Digital Security Team for...

Kibana 4.6.2 released with a security fix for an XSS vulnerability

Today, we've published Kibana 4.6.2 as a security release with a fix for an XSS vulnerability with field formatters. Any users of Kibana versions 4.3 to 4.6 are encouraged to update to 4.6.2 immediately. Kibana version 4.1.11 is not affected. Kibana installs on Elastic Cloud have been updated...

Logstash 2.3.2 Vulnerability with Netflow codec plugin

Hi all, we've published ESA-2016-06 for a vulnerability in netflow codec plugin for Logstash 2.3.2. Thanks to Jorrit Folmer maintainer of netflow codec for reporting and fixing this issue. Details below: Vulnerability Summary: In Logstash versions prior to 2.3.3, when using the Netflow Codec...

Logstash 2.3.3 Elasticsearch Output Vulnerability

Hi all, we would like to announce a security vulnerability we discovered in our testing. Logstash 2.3.4 has been released with a patch to fix this. Issue Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information...

Kibana 4.4.2, 4.3.3, 4.1.6 - Updated node.js versions due to upstream vulnerabilities

Same deal as last month, but we've bumped all 3 version to node v4.3.2 to cover security issues in node.js. You can read their maintenance announcement here: https://nodejs.org/en/blog/release/v4.3.2/ Check out the blog post with release notes or grab the latest version...

Logstash 2.2.1 Elasticsearch Output Vulnerability

Logstash version 2.2.1 is vulnerable to a man in the middle attack when used with Elasticsearch output. In version 2.2.1, the config which enables SSL/TLS default has been disabled inadvertently, so a malicious user could access payload data sent via HTTP during the initial handshake. This has be...

Kibana 4.4.1, 4.3.2, 4.1.5 - Updated node.js versions due to upstream vulnerabilities

Summary: The bundled versions of node.js in Kibana contain HTTP-related security vulnerabilities. Fixed versions of node.js were recently released. For the original node.js security announcement, see https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/ Fixed versions: Kibana...

Logstash CSV Output Vulnerability - CVE pending

Summary: Logstash 2.2 and prior versions are vulnerable to a formula based injection, when using the CSV output plugin. This plugin allows users to export data in comma separated values and is susceptible to an attack if the values contained a spreadsheet formula. This vulnerability is not presen...

Kibana 4.x XSS -- CVE pending

Summary Kibana versions up to and including 4.3.0, 4.2.1, and 4.1.3 are vulnerable to a cross-site scripting XSS attack. The attack allows execution of arbitrary JavaScript in the context of the user’s browser. We have requested a CVE number and will update our forum post and website when the...

Kibana Cross-site Request Forgery CVE-2015-8131

CVE: CVE-2015-8131 Affected versions: All versions up to and including 4.1.2 and 4.2.0. The vulnerability is a cross-site request forgery CSRF or XSRF that could allow an attacker to read and write changes to the .kibana index or gain read and write access to Kibana plugin actions. Remediation: A...

Kibana 3.1.3

We've identified two content sanitation issues in Kibana 3. While these are low impact and difficult to trigger we're releasing Kibana 3.1.3 to correct them: https://www.elastic.co/downloads/past-releases/kibana-3-1-3...

Logstash SSL/TLS FREAK Vulnerability CVE-2015-5378

Logstash 1.5.2 and prior versions are vulnerable to a SSL/TLS security issue called the FREAK attack. If you are using the Lumberjack input, FREAK allows an attacker to successfully implement a man in the middle attack, intercepting communication between the Logstash Forwarder agent and Logstash...

Elasticsearch directory traversal vulnerability CVE-2015-5531

Summary Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process. We have been assigned CVE-2015-5531 for this issue. Fixed versions Versions 1.6.1 and 1.7.0 address the...

Elasticsearch remote code execution CVE-2015-5377

Summary Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253. Deployments are vulnerable even when Groovy dynamic scripting is disabled. We have...

Kibana Cross-Site Scripting Vulnerability CVE-2015-4093

Summary: Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting XSS attack. The attack allows execution of arbitrary JavaScript in the context of the user’s browser. We have been assigned CVE-2015-4093 for this issue. Fixed versions: Version 4.0.3 has addressed the...

Logstash File Output Vulnerability CVE-2015-4152

Summary: Logstash versions 1.4.2 and prior are vulnerable to a directory traversal attack that allows an attacker to over-write files on the server running Logstash. This vulnerability is not present in the initial installation of Logstash. The vulnerability is exposed when the file output plugin...

Elasticsearch Engineered Attack Vulnerability CVE-2015-4165

Summary: Elasticsearch versions 1.0.0 - 1.5.2 are vulnerable to an engineered attack on other applications on the system. The snapshot API may be used indirectly to place snapshot metadata files into locations that are writeable by the user running the Elasticsearch process. It is possible to...

About the Security Announcements category

Security announcements for the Elastic stack. To report a security vulnerability, please follow the instructions on ourSecurity Issues page. Posting to this category is restricted to staff only...