SB2017061707 - Multiple vulnerabilities in Kibana

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2016-1000219)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.

2) Cross-site scripting (CVE-ID: CVE-2016-1000220)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/99178
• https://www.elastic.co/community/security
• http://www.securityfocus.com/bid/99179