ArchLinux: 201902-26: kibana: multiple issues
Summary
- CVE-2019-7608 (information disclosure)
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting
(XSS) vulnerability that could allow an attacker to obtain sensitive
information from, or perform destructive actions on behalf of, other
Kibana users.
- CVE-2019-7609 (arbitrary code execution)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the Timelion visualizer. An attacker with access to
the Timelion application could send a request that will attempt to
execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on
the host system.
- CVE-2019-7610 (arbitrary code execution)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the security audit logger. If a Kibana instance has
the setting xpack.security.audit.enabled set to true, an attacker could
send a request that will attempt to execute javascript code. This could
possibly lead to an attacker executing arbitrary commands with
permissions of the Kibana process on the host system.
Resolution
Upgrade to 6.6.1-1.
# pacman -Syu "kibana>=6.6.1-1"
The problems have been fixed upstream in version 6.6.1.
References
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 https://security.archlinux.org/CVE-2019-7608 https://security.archlinux.org/CVE-2019-7609 https://security.archlinux.org/CVE-2019-7610
Workaround
None.