Elasticsearch Vulnerability: How to Remediate the Most Recent Issues

An Elastic Security Advisory (ESA) is a notice from Elastic to its users of a new Elasticsearch vulnerability. The vendor assigns both a CVE and an ESA identifier to each advisory along with a summary and remediation details. When Elastic receives an issue, they evaluate it and, if the vendor decides it is a vulnerability, work to fix it before releasing a remediation in a timeframe that matches the severity. We’ve compiled a list of some of the most recent vulnerabilities, and exactly what you need to do to fix them.

Elasticsearch Vulnerability: Disclosure Flaw (2020-08-18)

ESA ID: ESA-2020-12

CVE ID: CVE-2020-7019

A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden.  This could result in an attacker gaining additional permissions against a restricted index.

Remediation

Upgrade to Elasticsearch version 7.9.0 or 6.8.12.

XSS Flaw in Kibana (2020-07-27)

ESA ID: ESA-2020-10

CVE ID: CVE-2020-7017

The region map visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

Remediation

Users should upgrade to Kibana version 7.8.1 or 6.8.11. If you’re unable to upgrade. you can set xpack.maps.enabled: false, region_map.enabled: false and tile_map.enabled: false in kibana.yml to disable map visualizations.

Users running version 6.7.0 or later have a reduced risk from this XSS vulnerability when Kibana is configured to use the default Content Security Policy (CSP) . While the CSP prevents XSS, it does not mitigate the underlying HTML injection vulnerability.

DoS Kibana Vulnerability in Timelion (2020-07-27)

ESA ID: ESA-2020-09

CVE-ID: CVE-2020-7016

Kibana versions before 6.8.11 and 7.8.1 contain a Denial of Service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user, can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

Remediation

Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.

XSS Flaw in TSVB Visualization (2020-06-23)

ESA ID: ESA-2020-08

CVE-ID: CVE-2020-7015

The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.

Remediation

Users should upgrade to Kibana version 7.7.1 or 6.8.10. Users unable to upgrade can disable TSVB by setting metrics.enabled: false in the kibana.yml file.

Privilege Escalation Elasticsearch Vulnerability (2020-06-03)

ESA ID: ESA-2020-07

CVE-ID: CVE-2020-7014

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a privilege escalation flaw, if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

Remediation

Users should upgrade to Elasticsearch version 7.7.0 or 6.8.9. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting xpack.security.authc.api_key.enabled to false in the elasticsearch.yml file.

Prototype Pollution Flaw in TSVB on Kibana (2020-06-03)

ESA ID: ESA-2020-06

CVE-ID: CVE-2020-7013

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Remediation

Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable TSVB by setting ‘metrics.enabled: false’ in the kibana.yml file. Elastic Cloud Kibana versions are immune from this fault.

Prototype Pollution Flaw in Upgrade Assistant on Kibana (2020-06-03)

ESA ID: ESA-2020-05

CVE-ID: CVE-2020-7012

Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code.  This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Remediation

Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable the Upgrade Assistant using the instructions below. Upgrade Assistant can be disabled by setting the following options in Kibana:

• Kibana versions 6.7.0 and 6.7.1 can set upgrade_assistant.enabled: false in the kibana.yml file. 
• Kibana versions starting with 6.7.2 can set xpack.upgrade_assistant.enabled: false in the kibana.yml file

This flaw is mitigated by default in all Elastic Cloud Kibana versions.

Privilege Escalation Elasticsearch Vulnerability (2020-03-31)

ESA ID: ESA-2020-02

CVE-ID: CVE-2020-7009

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

Remediation

Users should upgrade to Elasticsearch version 7.6.2 or 6.8.8. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting xpack.security.authc.api_key.enabled to false in the elasticsearch.yml file.

Node.JS Vulnerability in Kibana (2020-03-04)

ESA ID: ESA-2020-01

CVE-IDs:

• CVE-2019-15604
• CVE-2019-15606
• CVE-2019-15605

The version of Node.js shipped in all versions of Kibana prior to 7.6.1 and 6.8.7 contain three security flaws. CVE-2019-15604 describes a Denial of Service (DoS) flaw in the TLS handling code of Node.js.  Successful exploitation of this flaw could result in Kibana crashing. CVE-2019-15606 and CVE-2019-15605 describe flaws in how Node.js handles malformed HTTP headers. These malformed headers could result in a HTTP request smuggling attack when Kibana is running behind a proxy vulnerable to HTTP request smuggling attacks. 

Remediation

Administrators running Kibana in an environment with untrusted users should upgrade to version 7.6.1 or 6.8.7. There is no workaround for the DoS issue. It may be possible to mitigate the HTTP request smuggling issues on the proxy server. Users should consult their proxy vendor for instructions on how to mitigate HTTP request smuggling attacks.