RHBA-2019:2824

RHSA-2019:2860

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

https://www.elastic.co/community/security

According to its self-reported version number, the Kibana application running on the remote host is prior to 5.6.15 or 6.x prior to 6.6.1. It is, therefore, affected by the following vulnerabilities:

 - A cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. (CVE-2019-7608)

 - An arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7609)

 - An arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7610)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Kibana versions before 5.6.15 and 6.6.1 have the following vulnerabilities:

- A cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. (CVE-2019-7608)
 - An arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7609)
 - An arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7610)

An update for kibana is now available for Red Hat OpenShift Container Platform 4.1.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains updates to kibana in Red Hat OpenShift Container Platform 4.1.18.

Security Fix(es) :

* kibana: Cross-site scripting vulnerability permits perform destructive actions on behalf of other Kibana users (CVE-2019-7608)

* kibana: Arbitrary code execution flaw in the Timelion visualizer (CVE-2019-7609)

* kibana: Audit logging Remote Code Execution issue (CVE-2019-7610)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Kibana versions before 5.6.15 and 6.6.1 have the following vulnerabilities:

  - A cross-site scripting (XSS) vulnerability that could     allow an attacker to obtain sensitive information from     or perform destructive actions on behalf of other     Kibana users. (CVE-2019-7608)

  - An arbitrary code execution flaw in the Timelion     visualizer. An attacker with access to the Timelion     application could send a request that will attempt to     execute javascript code. This could possibly lead to an     attacker executing arbitrary commands with permissions     of the Kibana process on the host system. (CVE-2019-7609)

  - An arbitrary code execution flaw in the security audit     logger. If a Kibana instance has the setting     xpack.security.audit.enabled set to true, an attacker     could send a request that will attempt to execute     javascript code. This could possibly lead to an attacker     executing arbitrary commands with permissions of the     Kibana process on the host system. (CVE-2019-7610)

ID	Name	Product	Family	Severity
98982	Kibana 6.x < 6.6.1 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
98981	Kibana < 5.6.15 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
701234	Kibana 5.x < 5.6.15 / 6.x < 6.6.1 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
129396	RHEL 7 : OpenShift Container Platform 4.1.18 (RHSA-2019:2860)	Nessus	Red Hat Local Security Checks	critical
122589	Kibana ESA-2019-01, ESA-2019-02, ESA-2019-03	Nessus	CGI abuses	critical

CVE-2019-7609

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical