Arch Linux Security Advisory ASA-201902-26
=========================================
Severity: High
Date    : 2019-02-25
CVE-ID  : CVE-2019-7608 CVE-2019-7609 CVE-2019-7610
Package : kibana
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-911

Summary
======
The package kibana before version 6.6.1-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
=========
Upgrade to 6.6.1-1.

# pacman -Syu "kibana>=6.6.1-1"

The problems have been fixed upstream in version 6.6.1.

Workaround
=========
None.

Description
==========
- CVE-2019-7608 (information disclosure)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting
(XSS) vulnerability that could allow an attacker to obtain sensitive
information from, or perform destructive actions on behalf of, other
Kibana users.

- CVE-2019-7609 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the Timelion visualizer. An attacker with access to
the Timelion application could send a request that will attempt to
execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on
the host system.

- CVE-2019-7610 (arbitrary code execution)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code
execution flaw in the security audit logger. If a Kibana instance has
the setting xpack.security.audit.enabled set to true, an attacker could
send a request that will attempt to execute javascript code. This could
possibly lead to an attacker executing arbitrary commands with
permissions of the Kibana process on the host system.

Impact
=====
An authenticated malicious user can disclose sensitive information or
execute arbitrary code.

References
=========
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://security.archlinux.org/CVE-2019-7608
https://security.archlinux.org/CVE-2019-7609
https://security.archlinux.org/CVE-2019-7610

ArchLinux: 201902-26: kibana: multiple issues

February 26, 2019

Summary

- CVE-2019-7608 (information disclosure) Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from, or perform destructive actions on behalf of, other Kibana users.
- CVE-2019-7609 (arbitrary code execution)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
- CVE-2019-7610 (arbitrary code execution)
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Resolution

Upgrade to 6.6.1-1. # pacman -Syu "kibana>=6.6.1-1"
The problems have been fixed upstream in version 6.6.1.

References

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077 https://security.archlinux.org/CVE-2019-7608 https://security.archlinux.org/CVE-2019-7609 https://security.archlinux.org/CVE-2019-7610

Severity
Package : kibana
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-911

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved