Elastic Stack Security Announcements

Kibana arbitrary code execution via prototype pollution (ESA-2025-06) Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors This issue does not affect self-managed Kibana instances on Basic or Platinum licences. This issue affects Kibana instances running on Elastic Cloud but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. Affected Versions: Kibana versions >= 8.15.0 and < 8.17.3 Solutions and Mitigations: Users should upgrade to Kibana version 8.17.3. For users that cannot upgrade: Set xpack.integration_assistant.enabled: false in Kibana’s configuration. Severity: CVSSv3.1: 9.9(Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2025-25015 Updates 2025-03-07: Added details about applicability. 2025-03-06: Corrected the CVE ID. Previous versions of this page incorrectly referenced CVE-2025-25012. 1 post – 1 participant Read full topic

Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-33) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. Affected Versions: Kibana versions up to 7.17.23 and 8.15.0 Solutions and Mitigations: The issue is resolved in versions 7.17.23 and 8.15.0 Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52972 Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-32) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Affected Versions: Kibana versions up to 7.17.23 and 8.15.0 Solutions and Mitigations: The issue is resolved in versions 7.17.23 and 8.15.0 Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-43708 1 post – 1 participant Read full topic

Fleet Server sensitive information exposure via logs (ESA-2024-31) An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled. Affected Versions: Fleet Server versions from 8.13.0 up to 8.15.0 Solutions and Mitigations: Users should upgrade to version 8.15.0 Severity: CVSSv3.1: 9.0 (Critical) – CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-52975 1 post – 1 participant Read full topic

Kibana server-side request forgery (ESA-2024-29) A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. Affected Versions: Kibana versions from 8.7.0 up to 8.15.0 Solutions and Mitigations: The issue is resolved in version 8.15.0 Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2024-43710 Kibana exposure of sensitive information to an unauthorized actor (ESA-2024-30) An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. Affected Versions: Kibana versions from 8.0.0 up to 8.15.0 Solutions and Mitigations: Users should upgrade to version 8.15.0 Severity: CVSSv3.1: 7.7 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2024-43707 1 post – 1 participant Read full topic

Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-26) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. Affected Versions: Kibana up to 7.17.23 and up to 8.14.2 Solutions and Mitigations: The issue is resolved in version 7.17.23 and 8.14.2. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52973 1 post – 1 participant Read full topic

Elasticsearch allocation of resources without limits or throttling leads to crash (ESA-2024-25) An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. Affected Versions: Versions up to 7.17.21 and versions up to 8.13.3 Solutions and Mitigations: The issue is resolved in version 7.17.21 and 8.13.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-43709 1 post – 1 participant Read full topic

Elastic Defend Improper Handling of Alternate Encoding Leads to Crash (ESA-2024-24) Improper handling of alternate encoding occurs when Elastic Defend on Windows systems attempts to scan a file or process encoded as a multibyte character. This leads to an uncaught exception causing Elastic Defend to crash which in turn will prevent it from quarantining the file and/or killing the process. Affected Versions: Versions up to 8.13.3 Solutions and Mitigations: The issue is resolved in version 8.13.3. Severity: CVSSv3.1: 5.5 Medium – CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE ID: CVE-2024-37284 1 post – 1 participant Read full topic

Elasticsearch Incorrect Authorization (ESA-2024-46) An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. This issue only affects users that are making use of Document Level Security features in Elasticsearch. The issue was discovered and responsibly disclosed to Elastic. Elastic has no indication that this issue is widely known or exploited. Affected Versions: Elasticsearch 8.16.0 and 8.16.1. Solutions and Mitigations: The issue is resolved in version 8.16.2 and 8.17.0 Severity: CVSSv4.0: 6 (Medium) CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2024-12539 1 post – 1 participant Read full topic

Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector (ESA-2024-27) A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools and have configured an Amazon Bedrock connector. Affected Versions: Kibana version 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. For Users that Cannot Upgrade: Customers who cannot upgrade to 8.15.1 and must stay on 8.15.0 can disable the integration assistant by setting xpack.integration_assistant.enabled: false in their kibana.yml configuration file. Severity: CVSSv3.1: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-37288 Kibana arbitrary code execution via YAML deserialization (ESA-2024-28) A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges and Kibana privileges assigned to them. The following Elasticsearch indices permissions are required write privilege on the system indices .kibana_ingest* The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required Under Fleet the All privilege is granted Under Integration the Read or All privilege is granted Access to the fleet-setup privilege is gained through the Fleet Server’s service account token Affected Versions: Kibana versions 8.10.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. CVSS v3.1: 9.1 (Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-37285 1 post – 1 participant Read full topic

APM Server – Uncontrolled Resource Consumption through HTTP/2 endpoints – CVE-2023-45288 (ESA-2024-09) On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In an on-prem deployment APM Server has been found vulnerable if exposed directly to HTTP traffic. This vulnerability cannot be exploited on Elastic Cloud because the service is behind the Elastic Cloud proxy. Affected Versions: APM Server versions up to, but not including, 8.14.0 APM Server versions up to, but not including, 7.17.21 Solutions and Mitigations: Users should upgrade to version 8.14.0 Severity: CVSSv3.1 5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2023-45288 1 post – 1 participant Read full topic

Elastic Agent Insertion of Sensitive Information into Log File (ESA-2024-23) An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. Affected Versions: Elastic Agent >= 8.6.0 and < 8.15.0 Solutions and Mitigations: The issue is resolved in version 8.15.0. Elastic Cloud The following mitigations have been performed by Elastic: An investigation has revealed that no Elastic Cloud customers are affected. As a preventative measure we have deployed an ingest processor to redact the component field before it is logged in our monitoring environment. Self-Managed Users who are running Elastic Agent >= 8.6.0 and < 8.15.0 should upgrade to Elastic Agent 8.15.0. Users should review the logging level applied to their Elastic Agents to determine if they might be affected. If it has been determined that the logging level has been set to debug then the affected logs should be reviewed for any potential sensitive data by filtering for log.level: debug AND components: * within Elasticsearch, and if deemed necessary, follow up actions should include; Purging sensitive data from logs Rotating any potentially exposed credentials For Users that Cannot Upgrade Users running Elastic Agent >= 8.6.0 and < 8.15.0 should avoid setting the logging level to debug. If the logging level for Elastic Agent >= 8.6.0 and < 8.15.0 has been set to debug, users should follow the guidance under “Self-Managed” above. Additionally, users can create an ingest processor to redact the component field before it’s logged to the monitoring environment. Example below { “description”: “Ingest processor for esa-2024-23”, “processors”: [ { “remove”: { “if” : “ctx.log?.level == ‘debug'”, “field”: “components” } } ] } Severity: CVSSv4.0: 6.5 (Medium) – CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVE ID: CVE-2024-37283 1 post – 1 participant Read full topic

Kibana arbitrary code execution via prototype pollution (ESA-2024-22) A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. This issue affects self-managed Kibana installations on host Operating Systems. This issue affects self-managed Kibana instances running the Kibana Docker image, but the RCE is limited within the container. Further exploitation such as container escape is prevented by seccomp-bpf. This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana 8.x versions prior to 8.14.2 and Kibana 7.x versions from 7.7.0 prior to 7.17.23 Affected Configurations: This exploit requires a threat actor to have all of the following priveleges: write access to the .ml-anomalies* hidden indices, read access to the Machine Learning feature, and read access to the Actions & Connectors feature. Write access to the .ml-anomalies* hidden indices isn’t provided by default, is not recommended, nor is it explicitly or implicitly required for any user functionality. Solutions and Mitigations: Users should upgrade to version 8.14.2 and 7.17.23. For Users that cannot upgrade: If an upgrade is not possible, we advise customers to first ensure Elasticsearch and Kibana user privileges are properly secured. Further mitigations can be applied by disabling Connector Actions and Machine Learning capabilities if this functionality is not required. Details are as follows: 1. Securing Elasticsearch user privileges Customers are advised to ensure that users have not been granted Elasticsearch index privileges to write ML result indices (.ml-anomalies*). Ensure this has not been explicitly granted. GET _security/role Check role definitions for customer-created roles. Ensure index privileges have not been granted to .ml-anomalies* (or equivalent matching wildcard) for any customer role that would allow writing data (all, write, create_doc, create, index, etc). Note: Users with superuser privileges have full index privileges. Ensure superuser access is controlled. 2. Securing Kibana user privileges Kibana user privileges can be further secured to limit access to ML and connector action capabilities. Users that do not require access to ML or manage Kibana Alerting Rules must have either of the following Kibana privileges set to “None”: Machine Learning: None Management / Actions and Connectors: None Note: Users with superuser privileges will still be able to access machine learning capabilities in Kibana. In 7.x, users with manage_ml or monitor_ml Elasticsearch cluster privileges or machine_learning_admin or machine_learning_user built-in roles are able to access machine learning capabilities in Kibana. Further mitigations can be applied via: 3. Disabling Connector Actions All email connector actions can be disabled. This will prevent emails from being sent for alerting rule notifications, and an alternate notification action would be required. This must be set on all Kibana nodes and applied after a node restart. In 7.7+ and 8.x, Connector action can be disabled in kibana.yml. This must be applied to all Kibana nodes. Note: Do not apply this yml setting to clusters of version 7.6 and below – this will prevent Kibana from starting. A full list of action types is available in the documentation: https://www.elastic.co/guide/en/kibana/7.17/alert-action-settings-kb.html https://www.elastic.co/guide/en/kibana/8.15/alert-action-settings-kb.html // kibana.yml // To only allow specific named connector actions, supply an named list and exclude email // Also delete any pre-configured email connectors, if specified xpack.actions.enabledActionTypes: [ “.s​​erver-log”, “.index”, “.other-tbc” ] Any existing Alerting Rule that used an email action for its notifications would continue running but would not be able to send email notifications. Errors would be logged due to the disabled email connector. An alternate connector action would be required for notifications. 4. Disabling ML Machine learning capabilities can be disabled. This will prevent machine learning jobs from running. In 6.x, 7.x, 8.x, machine learning functionality can be disabled entirely by setting the following in elasticsearch.yml. This must be applied to all Elasticsearch nodes and is applied upon a node restart. https://www.elastic.co/guide/en/elasticsearch/reference/8.14/ml-settings.html https://www.elastic.co/guide/en/elasticsearch/reference/7.17/ml-settings.html https://www.elastic.co/guide/en/elasticsearch/reference/6.8/ml-settings.html // elasticsearch.yml xpack.ml.enabled: false In 6.x and 7.x, machine learning in Kibana functionality can be disabled in Kibana only, by setting the following in kibana.yml. Machine learning functionality will continue to be available in Elasticsearch and accessible via Elasticsearch APIs, and all Kibana ML functionality will be disabled. Choose this option if you want to continue accessing ML functionality via Elasticsearch APIs only. This must be set on all Kibana nodes and is applied upon a node restart. https://www.elastic.co/guide/en/kibana/7.17/ml-settings-kb.html https://www.elastic.co/guide/en/kibana/6.8/ml-settings-kb.html // kibana.yml xpack.ml.enabled: false Severity: CVSSv3.1: 9.1(Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H ***Updated Aug 13, 2024 11:45:01 UTC : CVSS Severity Rating has been updated after re-analysis of the issue. Privileges Required was revised to High from the initial assessment Privileges Required Low. CVE ID: CVE-2024-37287 7 posts – 2 participants Read full topic

APM Server Insertion of Sensitive Information into Log File (ESA-2024-19) APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. Affected Versions: APM Server versions before 8.14.0 Solutions and Mitigations: The issue is resolved in version 8.14.0. Reviewing Logs for Sensitive Information Users can search for instances of these documents and determine whether any sensitive information has been leaked in APM Server logs by searching for the following string ​​message: “unavailable_shards_exception” and message: “source” Severity: CVSSv3: 5.7(Medium) – AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-37286 1 post – 1 participant Read full topic

Elasticsearch elasticsearch-certutil csr fails to encrypt private key (ESA-2024-12) It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the –pass parameter is passed in the command invocation. Affected Versions: Elasticsearch versions before 7.17.23 and before 8.13.0 Solutions and Mitigations: The issue is resolved in version 7.17.23 and 8.13.0 Severity: CVSSv3: 4.9(Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-23444 1 post – 1 participant Read full topic

Kibana Denial of Service issue (ESA-2024-16) An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Affected Versions: Kibana 8.x versions prior to 8.14.0 and Kibana 7.x versions prior to 7.17.23 Solutions and Mitigations: The issue is resolved in version 8.14.0 and 7.17.23. Severity: CVSSv3: 6.5(Medium) – AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-37281 1 post – 1 participant Read full topic

ECE Improper Authorization (ESA-2024-18) It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. Affected Versions: ECE versions after 3.0.0 and before 3.7.2 Solutions and Mitigations: Users should upgrade to version 3.7.2. Severity: CVSSv3: 8.1(High) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2024-37282 1 post – 1 participant Read full topic

Kibana RCE due to chromium type confusion (ESA-2024-17) On March 26, 2024, a type confusion vulnerability was found in WebAssembly in Google Chrome version prior to 123.0.6312.86 which allows a remote attacker to execute arbitrary code via a crafted HTML page. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release. This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL). This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf. This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana version 7.17.21 and Kibana 8.13.x versions prior to 8.14.0. Solutions and Mitigations: Users should upgrade to versions 7.17.22 and 8.14.0 For users that cannot upgrade, users can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: xpack.reporting.enabled: false If users rely on CSV reports may want an option to only disable the screenshot-based reports. The setting for that is: xpack.reporting.pdf.enabled: false xpack.reporting.png.enabled: false Severity: CVSSv3: 9.9 (Critical) – AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-2887 1 post – 1 participant Read full topic

Kibana open redirect issue (ESA-2024-10). An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Affected Versions: Kibana Versions before 7.17.22 and before 8.14.0. Solutions and Mitigations: The issue is resolved in versions 7.17.22 and 8.14.0. Severity: CVSSv3: 6.1(Medium) – AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2024-23442 1 post – 1 participant Read full topic

Kibana uncontrolled resource consumption (ESA-2024-11) A high-privileged user, allowed to create custom osquery packs could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Affected Versions: Kibana versions before 7.17.22 and before 8.14.0 Solutions and Mitigations: The issue is resolved in version 7.17.22 and 8.14.0 Severity: CVSSv3.1: 4.9(Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-23443 1 post – 1 participant Read full topic

Elasticsearch StackOverflow vulnerability (ESA-2024-14) A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lead to a Denial of Service. Note that passthrough fields is an experimental feature. Affected Versions: Elasticsearch version 8.13.1 through 8.13.4. Solutions and Mitigations: The issue is resolved in Elasticsearch 8.14.0. Severity: CVSSv3: 4.9(Medium) – AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-37280 1 post – 1 participant Read full topic

Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions (ESA-2024-13) It was identified that if a cross-cluster API key restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters that was previously a beta feature and is released as GA with 8.14.0 We would like to thank René Kalff for bringing this issue to our attention. Affected Versions: Elasticsearch version on or after 8.10.0 and before 8.14.0 Solutions and Mitigations: The issue is resolved in version 8.14.0. Severity: CVSSv3: 6.5(Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-23445 1 post – 1 participant Read full topic

Elastic Cloud Enterprise – Uncontrolled Resource Consumption through HTTP/2 endpoints – CVE-2023-45288 (ESA-2024-08) On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In the case of Elastic Cloud Enterprise (ECE) it enables attackers to significantly increase the CPU usage of the proxy component within Elastic Cloud Enterprise. This heightened CPU usage can lead to a noticeable slowdown in the system’s ability to respond to requests for provisioned deployments, and in severe cases, it may prevent the proxy from responding to such requests entirely. Affected Versions: Elastic Cloud Enterprise versions up to, but not including, 3.7.1 Solutions and Mitigations: Users should upgrade to version 3.7.1 Severity: 5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2023-45288 1 post – 1 participant Read full topic

Kibana Broken Access Control issue (ESA-2024-15) A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. Affected Versions: Kibana versions 8.6.3 through 8.13.4. Solutions and Mitigations: The issue is resolved in version 8.14.0. Severity: CVSSv3: 4.3(Medium) – AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2024-37279 1 post – 1 participant Read full topic

Elastic Products are not affected by this issue. On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products use the versions of xz affected by this vulnerability. Therefore, Elastic Products are not affected by this issue. Reference Links: oss-security – backdoor in upstream xz/liblzma leading to ssh server compromise 500ms to midnight: XZ / liblzma backdoor — Elastic Security Labs Urgent security alert for Fedora 41 and Fedora Rawhide users [SECURITY] [DSA 5649-1] xz-utils security update NVD – CVE-2024-3094 1 post – 1 participant Read full topic

Elasticsearch Uncaught Exception (ESA-2024-05) An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files. Affected Versions: Affects versions >= 8.4.0 and < 8.11.1 Solutions and Mitigations: The issue is resolved in version 8.11.1. This requires the attachment processor to be enabled. Users unable to upgrade can ensure that the attachment processor is disabled. Severity: CVSSv3: 4.3(Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2024-23449 1 post – 1 participant Read full topic