Headline
CVE-2021-22147: Security issues
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Logstash
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-09
CVE-2021-22138
2021-03-23
A TLS certificate validation flaw was found in the monitoring feature of Logstash versions 6.4.0 and before versions 6.8.15 and 7.12.0. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.
Users should update their version of Logstash to 7.12.0 or 6.8.15.
ESA-2019-14
CVE-2019-7620
2019-10-22
A denial of service flaw was found in the Logstash beats input plugin before versions 6.8.4 and 7.4.1. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
If you are not using the Beats input plugin with Logstash you are not vulnerable to this issue.
Thanks to Dennis Detering, IT security consultant at Spike Reply for reporting this issue.
Users should upgrade to Logstash version 7.4.1 or 6.8.4.
ESA-2019-05
CVE-2019-7612
2019-02-19
A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Users should upgrade to Logstash version 6.6.1 or 5.6.15
ESA-2018-01
CVE-2018-3817
2018-01-16
When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information.
Users should upgrade to Logstash version 6.1.2 or 5.6.6. If you are unable to upgrade you should review your settings to ensure no deprecated settings are used in your environment.
ESA-2017-05
CVE-2017-5645
2017-04-20
The version of Apache Log4j used in Logstash was vulnerable to an object deserialization flaw. This flaw could result in remote code execution by an attacker able to send arbitrary data to a Logstash Log4j plugin.
Users that currently use Logstash Log4j input plugin should upgrade the logstash-input-log4j plugin to version 3.0.5
ESA-2016-08
CVE-2016-10362
2016-11-15
Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.
Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-06
CVE-2016-10363
2016-09-22
In Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.
Users that currently use Logstash’s netflow codec plugin or may want to use it in the future should upgrade to 2.3.3 or later versions.
ESA-2016-02
CVE-2016-1000221
2016-07-07
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-01
CVE-2016-1000222
2016-02-02
Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.
Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
ESA-2015-09
CVE-2015-5619
2015-07-22
All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this.
Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
ESA-2015-07
CVE-2015-5378
2015-06-30
All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data.
Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
ESA-2015-04
CVE-2015-4152
2015-06-09
All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user.
Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
ESA-2014-02
CVE-2014-4326
2014-06-24
Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands.
Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.
Elasticsearch
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-25
CVE-2021-37937
2021-09-01
An issue was found with how API keys are created with the fleet-server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised fleet-server service account could escalate themselves to a super-user.
Users should upgrade to Elasticsearch version 7.14.1
ESA-2021-18
CVE-2021-22147
2021-08-03
A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Users who are using document or field level security with searchable snapshots should upgrade to version 7.14.0
ESA-2021-16
CVE-2021-22145
2021-07-20
A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with
the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that
would result in an error message returned containing previously used portions of a data buffer.
This buffer could contain sensitive information such as Elasticsearch documents or
authentication details.
Thanks to Eric Howard (Bell Canada) for reporting this issue.
Affected users should update their version of Elasticsearch to 7.13.4. There is no known
workaround for this issue.
ESA-2021-15
CVE-2021-22144
2021-07-07
An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.
Users should update their version of Elasticsearch to 7.13.3 or 6.8.17
ESA-2021-06
CVE-2021-22135
2021-03-23
In Elasticsearch versions before 7.11.2 and 6.8.15 document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
Anyone using both Document and Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.
ESA-2021-08
CVE-2021-22137
2021-03-23
A document disclosure flaw was found in Elasticsearch versions before 6.8.15 and 7.11.2 when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Thanks to Piotr Dłubisz, Security Consultant at JN Data A/S for reporting this issue.
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.
ESA-2021-05
CVE-2021-22134
2021-03-01
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.0. There is no known workaround for this flaw.
ESA-2021-03
CVE-2020-7021
2021-02-10
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Anyone using audit logging with the xpack.security.audit.logfile.events.emit_request_body enabled should upgrade to Elasticsearch version 7.10.0 or 6.8.14. This issue can be worked around by disabling the emit_request_body option in the elasticsearch.yml file.
ESA-2021-01
CVE-2021-22132
2021-01-14
An information disclosure flaw was found in the Elasticsearch async search API. Users who execute an async search will store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster.
All Elasticsearch versions starting with 7.7.0 and before 7.10.2 are affected by this issue.
Users should upgrade to Elasticsearch 7.10.2. There is no known workaround for this issue.
ESA-2020-13
CVE-2020-7020
2020-10-22
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Thanks to Robert Coe, CTO at AcuityMD for reporting this issue.
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.9.2 or 6.8.13. There is no known workaround for this flaw.
ESA-2020-12
CVE-2020-7019
2020-08-18
A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Users should upgrade to Elasticsearch version 7.9.0 or 6.8.12.
ESA-2020-07
CVE-2020-7014
2020-06-03
The fix for ESA-2020-02 (CVE-2020-7009) was found to be incomplete.
Elasticsearch versions from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
Users should upgrade to Elasticsearch version 7.7.0 or 6.8.9. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.
ESA-2020-02
CVE-2020-7009
2020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
Users should upgrade to Elasticsearch version 7.6.2 or 6.8.8. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.
Additional details about this change can be found here:
Elasticsearch API key privileges
ESA-2019-13
CVE-2019-7619
2019-10-22
A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
The following Elasticsearch versions are affected by this flaw: 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2
6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3
Users should upgrade to Elasticsearch version 7.4.0 or 6.8.4. If users cannot upgrade, the API key service can be disabled by setting ‘xpack.security.authc.api_key.enabled’ to false in the Elasticsearch configuration file.
ESA-2019-07
CVE-2019-7614
2019-07-30
A race condition flaw was found in the response headers Elasticsearch returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. There is no workaround for this issue.
ESA-2019-04
CVE-2019-7611
2019-02-19
A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15. Users unable to upgrade can change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true.
ESA-2018-19
CVE-2018-17247
2018-12-05
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s find_file_structure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail.
Affected users should upgrade to Elasticsearch version 6.5.2.
ESA-2018-16
CVE-2018-17244
2018-11-06
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Users should upgrade to Elasticsearch version 6.4.3.
If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.
ESA-2018-15
CVE-2018-3831
2018-09-18
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Users should upgrade to Elasticsearch version 6.4.1 or 5.6.12. There are no known workarounds for this issue.
ESA-2018-10
CVE-2018-3826
2018-06-13
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Although it is advised in the 6.X _snapshot API documentation to define the access_key and security_key parameters in the keystore, it is still possible to define them outside of the keystore using the API.
All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the _snapshot API from returning the access_key and security_key parameters in plain text.
ESA-2018-11
CVE-2018-3827
2018-06-13
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the repository-azure plugin to expose Azure credentials in Elasticsearch logs.
ESA-2018-07
CVE-2018-3822
2018-03-20
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
Users should upgrade to Elasticsearch version 6.2.3.
ESA-2017-19
CVE-2017-8448
2017-09-18
An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.
Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.
Users mapped to the built-in “watcher_admin” or “machine_learning_admin” roles, or any other role to which the “manage_ml” or “manage_watcher” cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.
ESA-2017-18
CVE-2017-8447
2017-09-11
An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.
X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the ‘delete’ and ‘index’ permission from untrusted users.
ESA-2017-15
CVE-2017-8445
2017-08-17
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
X-Pack Security users should upgrade to version 5.5.2. Please note this attack cannot be triggered remotely. The most likely scenario would be local system corruption. Even though crossing a trust boundary cannot be forced by an attacker, we consider a security feature failing in this manner to be a flaw.
ESA-2017-10
CVE-2017-8442
2017-07-06
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.
All users of X-Pack security should upgrade to version 5.5.0. This update will prevent the _nodes API from returning sensitive settings. If you cannot upgrade any sensitive settings can be hidden by using the X-Pack hide_settings configuration option.
ESA-2017-09
CVE-2017-8441
2017-06-01
X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.
All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade disabling the request cache on an index will mitigate this bug.
ESA-2017-06
CVE-2017-8438
2017-06-01
X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.
User currently using run_as functionality should upgrade to X-Pack Security 5.4.1
ESA-2017-03
CVE-2017-8449
2017-03-28
When merging multiple rules with field level security rules for the same index, X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules.
ESA-2017-01
CVE-2017-8450
2017-01-23
In some cases, X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
Users should upgrade to v5.1.2 or above, or restrict access to the multi-search and multi-get APIs.
ESA-2015-08
CVE-2015-5531
2015-07-16
Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.
Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
ESA-2015-06
CVE-2015-5377
2015-07-16
Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.
Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
ESA-2015-05
CVE-2015-4165
2015-04-27
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.
Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
ESA-2015-02
CVE-2015-3337
2015-04-27
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.
Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
ESA-2015-01
CVE-2015-1427
2015-02-11
Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
ESA-2014-03
CVE-2014-6439
2014-11-05
Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user’s browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.
Users should either set “http.cors.enabled” to false, or set “http.cors.allow-origin” to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
ESA-2014-01
CVE-2014-3120
2014-05-22
In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.
Disable dynamic scripting.
Kibana
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-21
CVE-2021-22150
2021-09-01
It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana server.
Users should upgrade to Kibana version 7.14.1
ESA-2021-22
CVE-2021-22151
2021-09-01
It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.
Thanks to Luat Nguyen of CyberJutsu for reporting this issue.
Users should upgrade to Kibana version 7.14.1
ESA-2021-23
CVE-2021-37936
2021-09-01
It was discovered that kibana was not sanitizing document fields containing html snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
Users can set “doc_table:highlight” to “false” in the Kibana Advanced Settings. Users who do not wish to do this, and are currently on version 7.14.0 should upgrade to version 7.14.1.
ESA-2021-24
CVE-2021-3672, CVE-2021-22931, CVE-2021-22940, CVE-2021-22939
2021-09-01
Node.js version 14.17.3 is affected by several security vulnerabilities: CVE-2021-3672, CVE-2021-22931, CVE-2021-22940, and CVE-2021-22939. We do not believe an attacker can exploit these against Kibana, but we are upgrading Node.js out of an abundance of caution. Kibana 7.14.1 upgrades Node.js to version 14.17.5 to resolve these issues.
Users should upgrade to Kibana version 7.14.1
ESA-2021-13
CVE-2021-22141
2021-05-25
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
Users should update their version of Kibana to 7.13.0 or 6.8.16
ESA-2021-12
CVE-2021-22142
2021-05-25
Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.
Users should update their version of Kibana to 7.13.0
ESA-2021-10
CVE-2021-22139
2021-04-27
A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Thank you to Dominic Couture for this finding.
Customers should upgrade to version 7.12.1 or above
ESA-2021-07
CVE-2021-22136
2021-03-23
A flaw in Kibana versions before 7.12.0 and 6.8.15 session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
Users should update their version of Kibana to 7.12.0 or 6.8.15.
ESA-2021-04
CVE-2020-26296
2021-02-10
The Kibana “Vega” visualization type is susceptible to both stored and reflected XSS via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser.
Users should upgrade to Kibana version 7.10.2 or 6.8.14. Users unable to upgrade can disable Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file.
ESA-2020-10
CVE-2020-7017
2020-07-27
The region map visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.
Users running version 6.7.0 or later have a reduced risk from this XSS vulnerability when Kibana is configured to use the [default Content Security Policy](https://www.elastic.co/guide/en/kibana/current/settings.html) with a modern browser. While the CSP prevents XSS, it does not mitigate the underlying HTML injection vulnerability.
ESA-2020-09
CVE-2020-7016
2020-07-27
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2020-08
CVE-2020-7015
2020-06-03
The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.
Users should upgrade to Kibana version 7.7.1 or 6.8.10. Users unable to upgrade can disable TSVB by setting “metrics.enabled: false” in the kibana.yml file.
ESA-2020-06
CVE-2020-7013
2020-06-03
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB . An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable TSVB by setting “metrics.enabled: false” in the kibana.yml file.
This flaw is mitigated by default in all Elastic Cloud Kibana versions.
ESA-2020-05
CVE-2020-7012
2020-06-03
Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable the Upgrade Assistant using the instructions below.
Upgrade Assistant can be disabled by setting the following options in Kibana:
Kibana versions 6.7.0 and 6.7.1 can set ‘upgrade_assistant.enabled: false’ in the kibana.yml file
Kibana versions starting with 6.7.2 can set ‘xpack.upgrade_assistant.enabled: false’ in the kibana.yml file
This flaw is mitigated by default in all Elastic Cloud Kibana versions.
ESA-2020-01
CVE-2019-15604 CVE-2019-15606 CVE-2019-15605
2020-03-04
The version of Node.js shipped in all versions of Kibana prior to 7.6.1 and 6.8.7 contain three security flaws.
CVE-2019-15604 describes a Denial of Service (DoS) flaw in the TLS handling code of Node.js. Successful exploitation of this flaw could result in Kibana crashing.
CVE-2019-15606 and CVE-2019-15605 describe flaws in how Node.js handles malformed HTTP headers. These malformed headers could result in a HTTP request smuggling attack when Kibana is running behind a proxy vulnerable to HTTP request smuggling attacks.
This update upgrades Node.js to version 10.19.0, which is not vulnerable to these issues.
Administrators running Kibana in an environment with untrusted users should upgrade to version 7.6.1 or 6.8.7. There is no workaround for the DoS issue. It may be possible to mitigate the HTTP request smuggling issues on the proxy server. Please consult your proxy vendor for instructions on how to mitigate HTTP request smuggling attacks.
ESA-2019-17
CVE-2019-7621
2019-12-18
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim’s browser.
Please note that Kibana has Content Security Policy (CSP) enabled by default since versions 6.7.0 and 7.0.0. Most browsers supported by Kibana honor the CSP settings. CSP prevents attackers from executing arbitrary JavaScript using this flaw, however an attacker can still inject arbitrary HTML into the page. The ‘csp.strict: true’ can be set in kibana.yml to disallow browsers that do not enforce CSP rules.
Thanks to Eran Vaknin and Rotem Reiss, Security Researchers, for reporting this issue.
Users should upgrade to Elasticsearch version 7.5.1 or 6.8.6. Users who are unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.
ESA-2019-12
CVE-2019-7618
2019-10-01
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
The Code application in Kibana is a beta feature and disabled by default at this time. If you do not have ‘xpack.code.ui.enabled: true’ in your kibana.yml configuration file you are not affected by this issue.
Users should upgrade to Elastic Code 7.4.0
Users unable to upgrade that have enabled the Code application in Kibana can disable it by setting ‘xpack.code.ui.enabled: false’ in kibana.yml.
ESA-2019-10
CVE-2019-10744
2019-07-30
A prototype pollution flaw exists in lodash, a component used by KIbana. An attacker with access to Kibana may be able to use this lodash flaw to unexpectedly modify internal Kibana data. Prototype pollution can be leveraged to execute a cross-site-scripting (XSS), denial of service (DoS), or Remote Code Execution attack against Kibana. No exploitable vectors in Kibana have been identified at the time of publishing.
Users should upgrade to Kibana version 7.2.1 or 6.8.2. There is no workaround for this issue.
ESA-2019-09
CVE-2019-7616
2019-07-30
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
Kibana now includes a timelion.graphiteUrls option that allows administrator to whitelist valid graphite URLs in the kibana.yml file.
Thanks to Braden Hollembaek of Salesforce for reporting this issue.
Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2019-01
CVE-2019-7608
2019-02-19
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 6.6.1 or 5.6.15
ESA-2019-02
CVE-2019-7609
2019-02-19
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2019-03
CVE-2019-7610
2019-02-19
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file.
ESA-2018-17
CVE-2018-17245
2018-11-06
Yuri Astrakhan and Nick Peihl of Elastic discovered Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13
Users unable to upgrade can disable the Reporting feature in Kibana by setting xpack.reporting.enabled to false in the kibana.yml file. This does not prevent previously leaked credentials from being reused.
For more information about mitigating from this flaw please see our blog post.
ESA-2018-18
CVE-2018-17246
2018-11-06
Nethanel Coppenhagen of CyberArk Labs discovered Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13
Users unable to upgrade can disable the Kibana Console plugin. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file.
ESA-2018-14
CVE-2018-3830
2018-09-18
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 6.4.1 or 5.6.12. There are no known workarounds for this issue.
ESA-2018-08
CVE-2018-3824
2018-04-17
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.
Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-06
CVE-2018-3823
2018-04-17
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-05
CVE-2018-3821
2018-01-30
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-04
CVE-2018-3820
2018-01-30
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users of affected versions should upgrade to Kibana version 6.1.3. There are no known workarounds for this issue.
ESA-2018-03
CVE-2018-3819
2018-01-30
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-02
CVE-2018-3818
2018-01-16
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 6.1.2 or 5.6.6. There are no known workarounds for this issue.
ESA-2017-24
CVE-2017-1001002
2017-12-19
Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.
Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set “metrics.enabled: false” in the kibana.yml file to disable the Time Series Visual Builder feature.
ESA-2017-23
CVE-2017-11482
2017-12-06
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-22
CVE-2017-11481
2017-12-06
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-20
CVE-2017-11479
2017-09-18
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.
ESA-2017-17
CVE-2017-8446
2017-08-17
The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.
Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
ESA-2017-16
2017-08-17
Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Users should upgrade to Kibana version 5.5.2 or 4.6.5.
ESA-2017-14
CVE-2017-11499
2017-07-25
The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it’s HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests.
Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.
ESA-2017-11
CVE-2017-8443
2017-06-27
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.
We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability. Kibana users concerned with this issue should upgrade to version 5.4.3 or later.
ESA-2017-08
CVE-2017-8440
2017-06-01
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Thanks to Thomas Gøytil for reporting this issue.
All users of Kibana 5.3 or 5.4 should upgrade to versions 5.3.3 and 5.4.1.
ESA-2017-07
CVE-2017-8439
2017-06-01
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
All Kibana 5.4.0 users should upgrade to version 5.4.1. If upgrading is impossible, the time series visual builder can be disabled by setting metrics.enabled: false in the kibana.yml. Note that this will trigger a re-optimization when you restart Kibana.
ESA-2017-04
CVE-2017-8451
2017-04-20
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected.
Users should upgrade to Kibana version 5.3.1 as soon as possible. Users on Kibana 4.6 should update the Kibana Shield plugin to 2.4.5.
ESA-2017-02
CVE-2017-8452
2017-02-14
When Kibana is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process.
Users of previous versions Kibana 5 that have SSL configured should upgrade to 5.2.1 immediately. Terminating SSL at a reverse proxy or load balancer will act as a workaround. Kibana version 4 is not affected.
ESA-2016-10
CVE-2016-10364
2016-11-29
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, so any authenticated user could make requests to those services regardless of their own permissions.
Users of Kibana and X-Pack versions 5.0.0 and 5.0.1 that have user-specific permissions for advanced settings or short URLs should upgrade to 5.0.2 as soon as possible.
ESA-2016-09
CVE-2016-10365
2016-11-15
Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Thanks to the GE Digital Security Team for finding the issue.
Users should upgrade to 5.0.1 or 4.6.3 as soon as possible.
ESA-2016-07
CVE-2016-10366
2016-10-24
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack that would allow an attacker to execute arbitrary JavaScript in users’ browsers.
Users of Kibana 4.3 or greater should upgrade to Kibana 4.6.2 immediately.
ESA-2016-05
CVE-2016-1000218
2016-09-06
Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.
ESA-2016-04
CVE-2016-1000219
2016-08-03
When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
Users should upgrade to 4.5.4 or 4.1.11.
ESA-2016-03
CVE-2016-1000220
2016-08-03
Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users’ browsers.
Users should upgrade to 4.5.4 or 4.1.11.
ESA-2015-11
CVE-2015-9056
2015-12-17
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-10
CVE-2015-8131
2015-11-17
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack.
Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-03
CVE-2015-4093
2015-06-29
Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack.
Users should upgrade to 4.0.3.
Beats
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2020-16
CVE-2020-28362
2020-12-09
A denial of service flaw when parsing malformed TLS public keys was discovered in Go, the language used to implement Beats. If Beats is configured to listen for Syslog over TLS, or if Beats is making outbound connections over HTTPS, a remote attacker could cause the Beats process to crash. The attacker must be able to present a specially malformed TLS public key to the Beat.
Inbound HTTPS connections to Beats are not affected by this issue, the Beats process is able to recover from receiving a malformed key.
Users should upgrade to Beats version 7.10.1.
Elastic is unable to upgrade Beats version 6.8 due to the version of Go used. We consider this flaw to be low enough severity that a possible fix poses a greater risk than the issue itself. Users unable to upgrade to version 7.10.1 can mitigate this vulnerability by using host based network controls such as a firewall or proxy.
ESA-2019-15
CVE-2019-17596
2019-12-02
A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat versions before 7.5.0 are configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause the Beat to stop processing events.
Users should upgrade to Metricbeat and Filebeat 7.5.0.
We are unable to upgrade Metricbeat and Filebeat 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.
The Filebeat syslog input and Metricbeat graphite and httpd modules could be vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.
ESA-2019-06
CVE-2019-7613
2019-03-19
Nate Guagenti (@neu5ron), solutions engineer with Perched Inc. reported an issue in Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
Users should upgrade to Winlogbeat version 6.6.2 or 5.6.16
ESA-2017-21
CVE-2017-11480
2017-01-07
Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.
Users should upgrade to Packetbeat version 5.6.4. This issue can be avoided by disabling the PostgreSQL protocol.
Elastic Cloud Enterprise
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-17
CVE-2021-22146
2021-07-20
Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
Affected users should apply the stack pack. There is no known workaround.
ESA-2018-09
CVE-2018-3825
2018-06-13
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
New deployments should target 1.1.4 or greater release. It is recommended that existing deployments perform an upgrade. Additionally ECE deployments that are susceptible to remote code execution are recommended to rotate their existing credentials using a cleanup script. Please find instructions and more information in the release notes
ESA-2018-12
CVE-2018-3828
2018-06-13
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.
All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure credentials are properly redacted under error conditions.
ESA-2018-13
CVE-2018-3829
2018-06-13
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure role tokens are properly revoked for previous deleted runner roles.
ESA-2017-13
CVE-2017-8444
2017-09-12
The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.
All Elastic Cloud Enterprise users should upgrade to version 1.0.2. There is no known workaround for this issue.
Elastic Cloud on Kubernetes
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2020-03
CVE-2020-7010
2020-04-28
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.
All Elastic Cloud on Kubernetes users should upgrade to version 1.1.0. Instructions for applying this update can be found here. There is no workaround for this issue.
This issue affects the default auto-generated credentials for a cluster. Clusters where the auto-generated Elasticsearch credentials have been changed do not need to take any actions.
Once ECK is upgraded to version 1.1.0 the auto-generated credentials should be rotated using the instructions found here.
APM
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-14
CVE-2021-22143
2021-06-01
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent.
Anyone using Elastic APM .NET Agent should upgrade to version 1.10.0
ESA-2021-02
CVE-2021-22133
2021-02-04
The Elastic APM agent for Go can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
Elastic thanks Rob Liebowitz, Senior Software Engineer at Morning Consult for reporting this issue.
Anyone using APM Agent for Go should upgrade to version 1.11.0
ESA-2019-16
CVE-2019-17596
2019-12-02
A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement APM Server. If APM Server versions before 7.5.0 is configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause APM Server to stop processing events.
Users should upgrade to APM Server 7.5.0.
We are unable to upgrade APM server version 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.
The APM server is vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.
ESA-2019-11
CVE-2019-7617
2019-08-21
When the Elastic APM agent for Python is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
This flaw only affects the APM agent for Python when it is run as a CGI script. If you are not using the agent as a CGI script this flaw does not affect you.
Users running the Elastic APM agent for Python as a CGI script should upgrade to Elastic APM agent for Python version 5.1.0 or later.
ESA-2019-08
CVE-2019-7615
2019-07-30
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the ‘server_ca_cert’ setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
Users should upgrade to Elastic APM agent for Ruby version 2.9.0 or later.
Enterprise Search
ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2021-20
CVE-2021-22149
2021-08-03
A flaw in Elastic App Search was discovered where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
Users should upgrade to version 7.14.0
ESA-2021-19
CVE-2021-22148
2021-08-03
A flaw in Elastic App Search was discovered where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
Users should upgrade to version 7.14.0
ESA-2021-11
CVE-2021-22140
2021-04-27
An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
Thank you to Dominic Couture for this finding
Customers that are utilizing the App Search web crawler should upgrade to 7.12.1 or above
ESA-2020-14
CVE-2016-11086
2020-10-22
A TLS certificate validation flaw in the Atlassian connector was found in the oauth-ruby library used by Elastic Enterprise Search versions before 7.9.3.
When configuring Enterprise Search to connect to a Confluence Server, Jira Server, Confluence Cloud, or Jira Cloud the TLS certificate will not be properly verified by the oauth-ruby library. This could result in a man in the middle style attack against Enterprise Search connecting to an Atlassian service.
Anyone using Atlassian connectors should upgrade to Enterprise Search version 7.9.3. There is no known workaround for this flaw.
ESA-2020-11
CVE-2020-7018
2020-08-18
Elastic Enterprise Search versions before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ‘developer’ role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.
Thanks to Matt Peel of Silverstripe for reporting this vulnerability.
Users should upgrade to Enterprise Search version 7.9.0. Users unable to upgrade can remove the developer role from App Search users and reset their existing API keys.
ESA-2020-04
CVE-2020-7011
2020-05-13
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim’s web browser.
Users should upgrade to Elastic Enterprise Search version 7.7.0. There is no known workaround for this issue.