Elastic Stack Security Announcements

Elasticsearch Uncontrolled Resource Consumption vulnerability (ESA-2024-37) An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. Affected Versions: Elasticsearch versions 7.17.0 to 7.17.23 and 8.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. Severity: CVSS v3.1: 4.9 (Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-52981 1 post – 1 participant Read full topic

Kibana Uncontrolled Resource Consumption vulnerability (ESA-2024-36) An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. Affected Versions: Kibana versions 7.17.0 to 7.17.22 and versions 8.0.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. Severity: CVSS v3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52974 1 post – 1 participant Read full topic

Logstash Inefficient Regular Expression Complexity (ESA-2024-48) On October 28th, 2024, Ruby announced CVE-2024-49761 in rexml which can lead to ReDoS when parsing XML that has many digits between &# and x…; in a hex numeric character reference (&#x…;). The issue only affects users that use the Logstash XML filter plugin, that can parse untrusted XML data. Affected Versions: Logstash versions 7.0.0 <= 8.15.2 Solutions and Mitigations: The issue is resolved in version 8.15.3, 8.16.0 and higher. Severity: CVSSv3.1: 5.3(Medium) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2024-49761 1 post – 1 participant Read full topic

Elastic Defend Insertion of Sensitive Information into Log Files (ESA-2025-05) Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. This issue only affects users running Elastic Defend on the macOS platform. Affected Versions: Elastic Defend versions before 8.17.3 Solutions and Mitigations: The issue is resolved in version 8.17.3 and higher Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2025-25013 1 post – 1 participant Read full topic

Logstash Uncontrolled Resource Consumption vulnerability (ESA-2024-35) On August 19, 2024, Floraison announced CVE-2024-43380, which affects fugit “natural” parser. The parser turns natural language into a cron date and was found to accept any length of input, causing an uncontrolled resource consumption when parsing very long strings. Affected Versions: Logstash versions 7.17.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. Severity: CVSS v3.1: 5.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2024-43380 1 post – 1 participant Read full topic

Elasticsearch Uncontrolled Resource Consumption vulnerability (ESA-2024-34) A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them. Affected Versions: Elasticsearch versions 7.17.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. For Users That Cannot Upgrade: Remove the Elasticsearch cluster privileges outlined above from users. Severity: CVSS v3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52980 1 post – 1 participant Read full topic

Kibana Prototype Pollution can lead to code injection (ESA-2025-02) Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected Versions: Kibana version 8.16.1 up to and including 8.17.1 Solutions and Mitigations: Users should upgrade to version 8.16.4 and 8.17.2 or higher For Users that cannot upgrade: Customers who cannot upgrade to 8.16.4 or 8.17.2 and must stay on 8.16.1 can disable the integration assistant by setting xpack.integration_assistant.enabled: false in their kibana.yml configuration file. Severity: 8.7(High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N CVE ID: CVE-2024-12556 1 post – 1 participant Read full topic

Kibana arbitrary code execution via prototype pollution (ESA-2025-06) Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors This issue does not affect self-managed Kibana instances on Basic or Platinum licences. This issue affects Kibana instances running on Elastic Cloud but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. Affected Versions: Kibana versions >= 8.15.0 and < 8.16.6 Kibana versions >= 8.17.0 and < 8.17.3 Solutions and Mitigations: Users should upgrade to Kibana version 8.16.6 or Kibana version 8.17.3. For users that cannot upgrade: Set xpack.integration_assistant.enabled: false in Kibana’s configuration. Severity: CVSSv3.1: 9.9(Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2025-25015 Updates 2025-04-02: Added details about affected versions. 2025-03-07: Added details about applicability. 2025-03-06: Corrected the CVE ID. Previous versions of this page incorrectly referenced CVE-2025-25012. 1 post – 1 participant Read full topic

Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-33) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. Affected Versions: Kibana versions up to 7.17.23 and 8.15.0 Solutions and Mitigations: The issue is resolved in versions 7.17.23 and 8.15.0 Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52972 Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-32) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Affected Versions: Kibana versions up to 7.17.23 and 8.15.0 Solutions and Mitigations: The issue is resolved in versions 7.17.23 and 8.15.0 Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-43708 1 post – 1 participant Read full topic

Fleet Server sensitive information exposure via logs (ESA-2024-31) An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled. Affected Versions: Fleet Server versions from 8.13.0 up to 8.15.0 Solutions and Mitigations: Users should upgrade to version 8.15.0 Severity: CVSSv3.1: 9.0 (Critical) – CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-52975 1 post – 1 participant Read full topic

Kibana server-side request forgery (ESA-2024-29) A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. Affected Versions: Kibana versions from 8.7.0 up to 8.15.0 Solutions and Mitigations: The issue is resolved in version 8.15.0 Severity: CVSSv3.1: 4.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVE ID: CVE-2024-43710 Kibana exposure of sensitive information to an unauthorized actor (ESA-2024-30) An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. Affected Versions: Kibana versions from 8.0.0 up to 8.15.0 Solutions and Mitigations: Users should upgrade to version 8.15.0 Severity: CVSSv3.1: 7.7 (High) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVE ID: CVE-2024-43707 1 post – 1 participant Read full topic

Kibana allocation of resources without limits or throttling leads to crash (ESA-2024-26) An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. Affected Versions: Kibana up to 7.17.23 and up to 8.14.2 Solutions and Mitigations: The issue is resolved in version 7.17.23 and 8.14.2. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-52973 1 post – 1 participant Read full topic

Elasticsearch allocation of resources without limits or throttling leads to crash (ESA-2024-25) An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. Affected Versions: Versions up to 7.17.21 and versions up to 8.13.3 Solutions and Mitigations: The issue is resolved in version 7.17.21 and 8.13.3. Severity: CVSSv3.1: 6.5 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE ID: CVE-2024-43709 1 post – 1 participant Read full topic

Elastic Defend Improper Handling of Alternate Encoding Leads to Crash (ESA-2024-24) Improper handling of alternate encoding occurs when Elastic Defend on Windows systems attempts to scan a file or process encoded as a multibyte character. This leads to an uncaught exception causing Elastic Defend to crash which in turn will prevent it from quarantining the file and/or killing the process. Affected Versions: Versions up to 8.13.3 Solutions and Mitigations: The issue is resolved in version 8.13.3. Severity: CVSSv3.1: 5.5 Medium – CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE ID: CVE-2024-37284 1 post – 1 participant Read full topic

Elasticsearch Incorrect Authorization (ESA-2024-46) An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. This issue only affects users that are making use of Document Level Security features in Elasticsearch. The issue was discovered and responsibly disclosed to Elastic. Elastic has no indication that this issue is widely known or exploited. Affected Versions: Elasticsearch 8.16.0 and 8.16.1. Solutions and Mitigations: The issue is resolved in version 8.16.2 and 8.17.0 Severity: CVSSv4.0: 6 (Medium) CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE ID: CVE-2024-12539 1 post – 1 participant Read full topic

Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector (ESA-2024-27) A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools and have configured an Amazon Bedrock connector. Affected Versions: Kibana version 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. For Users that Cannot Upgrade: Customers who cannot upgrade to 8.15.1 and must stay on 8.15.0 can disable the integration assistant by setting xpack.integration_assistant.enabled: false in their kibana.yml configuration file. Severity: CVSSv3.1: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-37288 Kibana arbitrary code execution via YAML deserialization (ESA-2024-28) A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges and Kibana privileges assigned to them. The following Elasticsearch indices permissions are required write privilege on the system indices .kibana_ingest* The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required Under Fleet the All privilege is granted Under Integration the Read or All privilege is granted Access to the fleet-setup privilege is gained through the Fleet Server’s service account token Affected Versions: Kibana versions 8.10.0 to 8.15.0. Solutions and Mitigations: Users should upgrade to version 8.15.1 or higher. CVSS v3.1: 9.1 (Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID: CVE-2024-37285 1 post – 1 participant Read full topic

APM Server – Uncontrolled Resource Consumption through HTTP/2 endpoints – CVE-2023-45288 (ESA-2024-09) On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In an on-prem deployment APM Server has been found vulnerable if exposed directly to HTTP traffic. This vulnerability cannot be exploited on Elastic Cloud because the service is behind the Elastic Cloud proxy. Affected Versions: APM Server versions up to, but not including, 8.14.0 APM Server versions up to, but not including, 7.17.21 Solutions and Mitigations: Users should upgrade to version 8.14.0 Severity: CVSSv3.1 5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE ID: CVE-2023-45288 1 post – 1 participant Read full topic

Elastic Agent Insertion of Sensitive Information into Log File (ESA-2024-23) An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. Affected Versions: Elastic Agent >= 8.6.0 and < 8.15.0 Solutions and Mitigations: The issue is resolved in version 8.15.0. Elastic Cloud The following mitigations have been performed by Elastic: An investigation has revealed that no Elastic Cloud customers are affected. As a preventative measure we have deployed an ingest processor to redact the component field before it is logged in our monitoring environment. Self-Managed Users who are running Elastic Agent >= 8.6.0 and < 8.15.0 should upgrade to Elastic Agent 8.15.0. Users should review the logging level applied to their Elastic Agents to determine if they might be affected. If it has been determined that the logging level has been set to debug then the affected logs should be reviewed for any potential sensitive data by filtering for log.level: debug AND components: * within Elasticsearch, and if deemed necessary, follow up actions should include; Purging sensitive data from logs Rotating any potentially exposed credentials For Users that Cannot Upgrade Users running Elastic Agent >= 8.6.0 and < 8.15.0 should avoid setting the logging level to debug. If the logging level for Elastic Agent >= 8.6.0 and < 8.15.0 has been set to debug, users should follow the guidance under “Self-Managed” above. Additionally, users can create an ingest processor to redact the component field before it’s logged to the monitoring environment. Example below { “description”: “Ingest processor for esa-2024-23”, “processors”: [ { “remove”: { “if” : “ctx.log?.level == ‘debug'”, “field”: “components” } } ] } Severity: CVSSv4.0: 6.5 (Medium) – CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVE ID: CVE-2024-37283 1 post – 1 participant Read full topic

Kibana arbitrary code execution via prototype pollution (ESA-2024-22) A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. This issue affects self-managed Kibana installations on host Operating Systems. This issue affects self-managed Kibana instances running the Kibana Docker image, but the RCE is limited within the container. Further exploitation such as container escape is prevented by seccomp-bpf. This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the code execution is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana 8.x versions prior to 8.14.2 and Kibana 7.x versions from 7.7.0 prior to 7.17.23 Affected Configurations: This exploit requires a threat actor to have all of the following priveleges: write access to the .ml-anomalies* hidden indices, read access to the Machine Learning feature, and read access to the Actions & Connectors feature. Write access to the .ml-anomalies* hidden indices isn’t provided by default, is not recommended, nor is it explicitly or implicitly required for any user functionality. Solutions and Mitigations: Users should upgrade to version 8.14.2 and 7.17.23. For Users that cannot upgrade: If an upgrade is not possible, we advise customers to first ensure Elasticsearch and Kibana user privileges are properly secured. Further mitigations can be applied by disabling Connector Actions and Machine Learning capabilities if this functionality is not required. Details are as follows: 1. Securing Elasticsearch user privileges Customers are advised to ensure that users have not been granted Elasticsearch index privileges to write ML result indices (.ml-anomalies*). Ensure this has not been explicitly granted. GET _security/role Check role definitions for customer-created roles. Ensure index privileges have not been granted to .ml-anomalies* (or equivalent matching wildcard) for any customer role that would allow writing data (all, write, create_doc, create, index, etc). Note: Users with superuser privileges have full index privileges. Ensure superuser access is controlled. 2. Securing Kibana user privileges Kibana user privileges can be further secured to limit access to ML and connector action capabilities. Users that do not require access to ML or manage Kibana Alerting Rules must have either of the following Kibana privileges set to “None”: Machine Learning: None Management / Actions and Connectors: None Note: Users with superuser privileges will still be able to access machine learning capabilities in Kibana. In 7.x, users with manage_ml or monitor_ml Elasticsearch cluster privileges or machine_learning_admin or machine_learning_user built-in roles are able to access machine learning capabilities in Kibana. Further mitigations can be applied via: 3. Disabling Connector Actions All email connector actions can be disabled. This will prevent emails from being sent for alerting rule notifications, and an alternate notification action would be required. This must be set on all Kibana nodes and applied after a node restart. In 7.7+ and 8.x, Connector action can be disabled in kibana.yml. This must be applied to all Kibana nodes. Note: Do not apply this yml setting to clusters of version 7.6 and below – this will prevent Kibana from starting. A full list of action types is available in the documentation: https://www.elastic.co/guide/en/kibana/7.17/alert-action-settings-kb.html https://www.elastic.co/guide/en/kibana/8.15/alert-action-settings-kb.html // kibana.yml // To only allow specific named connector actions, supply an named list and exclude email // Also delete any pre-configured email connectors, if specified xpack.actions.enabledActionTypes: [ “.s​​erver-log”, “.index”, “.other-tbc” ] Any existing Alerting Rule that used an email action for its notifications would continue running but would not be able to send email notifications. Errors would be logged due to the disabled email connector. An alternate connector action would be required for notifications. 4. Disabling ML Machine learning capabilities can be disabled. This will prevent machine learning jobs from running. In 6.x, 7.x, 8.x, machine learning functionality can be disabled entirely by setting the following in elasticsearch.yml. This must be applied to all Elasticsearch nodes and is applied upon a node restart. https://www.elastic.co/guide/en/elasticsearch/reference/8.14/ml-settings.html https://www.elastic.co/guide/en/elasticsearch/reference/7.17/ml-settings.html https://www.elastic.co/guide/en/elasticsearch/reference/6.8/ml-settings.html // elasticsearch.yml xpack.ml.enabled: false In 6.x and 7.x, machine learning in Kibana functionality can be disabled in Kibana only, by setting the following in kibana.yml. Machine learning functionality will continue to be available in Elasticsearch and accessible via Elasticsearch APIs, and all Kibana ML functionality will be disabled. Choose this option if you want to continue accessing ML functionality via Elasticsearch APIs only. This must be set on all Kibana nodes and is applied upon a node restart. https://www.elastic.co/guide/en/kibana/7.17/ml-settings-kb.html https://www.elastic.co/guide/en/kibana/6.8/ml-settings-kb.html // kibana.yml xpack.ml.enabled: false Severity: CVSSv3.1: 9.1(Critical) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H ***Updated Aug 13, 2024 11:45:01 UTC : CVSS Severity Rating has been updated after re-analysis of the issue. Privileges Required was revised to High from the initial assessment Privileges Required Low. CVE ID: CVE-2024-37287 7 posts – 2 participants Read full topic

APM Server Insertion of Sensitive Information into Log File (ESA-2024-19) APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. Affected Versions: APM Server versions before 8.14.0 Solutions and Mitigations: The issue is resolved in version 8.14.0. Reviewing Logs for Sensitive Information Users can search for instances of these documents and determine whether any sensitive information has been leaked in APM Server logs by searching for the following string ​​message: “unavailable_shards_exception” and message: “source” Severity: CVSSv3: 5.7(Medium) – AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-37286 1 post – 1 participant Read full topic

Elasticsearch elasticsearch-certutil csr fails to encrypt private key (ESA-2024-12) It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the –pass parameter is passed in the command invocation. Affected Versions: Elasticsearch versions before 7.17.23 and before 8.13.0 Solutions and Mitigations: The issue is resolved in version 7.17.23 and 8.13.0 Severity: CVSSv3: 4.9(Medium) – CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE ID: CVE-2024-23444 1 post – 1 participant Read full topic

Kibana Denial of Service issue (ESA-2024-16) An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Affected Versions: Kibana 8.x versions prior to 8.14.0 and Kibana 7.x versions prior to 7.17.23 Solutions and Mitigations: The issue is resolved in version 8.14.0 and 7.17.23. Severity: CVSSv3: 6.5(Medium) – AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-37281 1 post – 1 participant Read full topic

ECE Improper Authorization (ESA-2024-18) It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. Affected Versions: ECE versions after 3.0.0 and before 3.7.2 Solutions and Mitigations: Users should upgrade to version 3.7.2. Severity: CVSSv3: 8.1(High) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID: CVE-2024-37282 1 post – 1 participant Read full topic

Kibana RCE due to chromium type confusion (ESA-2024-17) On March 26, 2024, a type confusion vulnerability was found in WebAssembly in Google Chrome version prior to 123.0.6312.86 which allows a remote attacker to execute arbitrary code via a crafted HTML page. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release. This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL). This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf. This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles. This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later). Affected Versions: Kibana version 7.17.21 and Kibana 8.13.x versions prior to 8.14.0. Solutions and Mitigations: Users should upgrade to versions 7.17.22 and 8.14.0 For users that cannot upgrade, users can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: xpack.reporting.enabled: false If users rely on CSV reports may want an option to only disable the screenshot-based reports. The setting for that is: xpack.reporting.pdf.enabled: false xpack.reporting.png.enabled: false Severity: CVSSv3: 9.9 (Critical) – AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/CR:M/IR:M/AR:M CVE ID: CVE-2024-2887 1 post – 1 participant Read full topic

Kibana open redirect issue (ESA-2024-10). An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Affected Versions: Kibana Versions before 7.17.22 and before 8.14.0. Solutions and Mitigations: The issue is resolved in versions 7.17.22 and 8.14.0. Severity: CVSSv3: 6.1(Medium) – AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID: CVE-2024-23442 1 post – 1 participant Read full topic