oss-sec mailing list archives
CVEs for public Kibana / logstash issues
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 8 Sep 2016 09:02:24 -0600
I just checked https://www.elastic.co/community/security and the Kibana issues do not have CVEs, can you please assign CVEs for: Kibana: ESA-2016-05 2016-09-06 Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1. ESA-2016-04 2016-08-03 When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. Users should upgrade to 4.5.4 or 4.1.11. ESA-2016-03 2016-08-03 Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users should upgrade to 4.5.4 or 4.1.11. Logstash: ESA-2016-02 2016-07-07 Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version. ESA-2016-01 2016-02-02 Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2. Thanks -- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- CVEs for public Kibana / logstash issues Kurt Seifried (Sep 08)
- Re: CVEs for public Kibana / logstash issues Kurt Seifried (Sep 09)