oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVEs for public Kibana / logstash issues

From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 9 Sep 2016 09:42:12 -0600
As per discussion with MITRE the DWF will assign these CVEs (I had assumed
Elastic.co had asked for some already hence the public query). The CVEs for
this are in commit:
https://github.com/distributedweaknessfiling/DWF-Database/commit/b894223ca5da3dd5bb9dde8ba6b13cf2c53fa1fe

On Thu, Sep 8, 2016 at 9:02 AM, Kurt Seifried <kseifried () redhat com> wrote:


I just checked https://www.elastic.co/community/security and the Kibana
issues do not have CVEs, can you please assign CVEs for:

Kibana:

ESA-2016-05 2016-09-06
Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF
vulnerability that could allow an attacker to generate superfluous reports
whenever an authenticated Kibana user navigates to a specially-crafted page. Users
of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to
2.4.1.



CVE-2016-1000218




ESA-2016-04 2016-08-03
When a custom output is configured for logging in versions of Kibana
before 4.5.4 and 4.1.11, cookies and authorization headers could be written
to the log files. This information could be used to hijack sessions of
other users when using Kibana behind some form of authentication such as
Shield. Users should upgrade to 4.5.4 or 4.1.11.



CVE-2016-1000219




ESA-2016-03 2016-08-03
Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
that would allow an attacker to execute arbitrary JavaScript in users'
browsers. Users should upgrade to 4.5.4 or 4.1.11.



CVE-2016-1000220




Logstash:

ESA-2016-02 2016-07-07
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP
authorization headers which could contain sensitive information. Users
who secure communication from Logstash to Elasticsearch via Basic
Authorization using Elastic Shield or other systems are advised to upgrade
to this version.



CVE-2016-1000221




ESA-2016-01 2016-02-02
Prior to version 2.1.2, the CSV output can be attacked via engineered
input that will create malicious formulas in the CSV data. Users that
currently use Logstash CSV output plugin or may want to use it in the
future should upgrade to 2.2.0 or 2.1.2.



CVE-2016-1000222




Thanks

--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com





-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com
Previous By Date Next
Previous By Thread Next

Current thread: