Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Sep 2016 09:02:24 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, security@...stis.co
Subject: CVEs for public Kibana / logstash issues

I just checked https://www.elastic.co/community/security and the Kibana
issues do not have CVEs, can you please assign CVEs for:

Kibana:

ESA-2016-05 2016-09-06
Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability
that could allow an attacker to generate superfluous reports whenever an
authenticated Kibana user navigates to a specially-crafted page. Users of
the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.

ESA-2016-04 2016-08-03
When a custom output is configured for logging in versions of Kibana before
4.5.4 and 4.1.11, cookies and authorization headers could be written to the
log files. This information could be used to hijack sessions of other users
when using Kibana behind some form of authentication such as Shield. Users
should upgrade to 4.5.4 or 4.1.11.

ESA-2016-03 2016-08-03
Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
that would allow an attacker to execute arbitrary JavaScript in users'
browsers. Users should upgrade to 4.5.4 or 4.1.11.

Logstash:

ESA-2016-02 2016-07-07
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP
authorization headers which could contain sensitive information. Users who
secure communication from Logstash to Elasticsearch via Basic Authorization
using Elastic Shield or other systems are advised to upgrade to this
version.

ESA-2016-01 2016-02-02
Prior to version 2.1.2, the CSV output can be attacked via engineered input
that will create malicious formulas in the CSV data. Users that currently
use Logstash CSV output plugin or may want to use it in the future should
upgrade to 2.2.0 or 2.1.2.

Thanks

-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.