Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 9 Sep 2016 09:42:12 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, security@...stis.co
Subject: Re: CVEs for public Kibana / logstash issues

As per discussion with MITRE the DWF will assign these CVEs (I had assumed
Elastic.co had asked for some already hence the public query). The CVEs for
this are in commit:
https://github.com/distributedweaknessfiling/DWF-Database/commit/b894223ca5da3dd5bb9dde8ba6b13cf2c53fa1fe

On Thu, Sep 8, 2016 at 9:02 AM, Kurt Seifried <kseifried@...hat.com> wrote:

> I just checked https://www.elastic.co/community/security and the Kibana
> issues do not have CVEs, can you please assign CVEs for:
>
> Kibana:
>
> ESA-2016-05 2016-09-06
> Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF
> vulnerability that could allow an attacker to generate superfluous reports
> whenever an authenticated Kibana user navigates to a specially-crafted page. Users
> of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to
> 2.4.1.
>

CVE-2016-1000218


>
> ESA-2016-04 2016-08-03
> When a custom output is configured for logging in versions of Kibana
> before 4.5.4 and 4.1.11, cookies and authorization headers could be written
> to the log files. This information could be used to hijack sessions of
> other users when using Kibana behind some form of authentication such as
> Shield. Users should upgrade to 4.5.4 or 4.1.11.
>

CVE-2016-1000219


>
> ESA-2016-03 2016-08-03
> Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
> that would allow an attacker to execute arbitrary JavaScript in users'
> browsers. Users should upgrade to 4.5.4 or 4.1.11.
>

CVE-2016-1000220


>
> Logstash:
>
> ESA-2016-02 2016-07-07
> Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP
> authorization headers which could contain sensitive information. Users
> who secure communication from Logstash to Elasticsearch via Basic
> Authorization using Elastic Shield or other systems are advised to upgrade
> to this version.
>

CVE-2016-1000221


>
> ESA-2016-01 2016-02-02
> Prior to version 2.1.2, the CSV output can be attacked via engineered
> input that will create malicious formulas in the CSV data. Users that
> currently use Logstash CSV output plugin or may want to use it in the
> future should upgrade to 2.2.0 or 2.1.2.
>

CVE-2016-1000222


>
> Thanks
>
> --
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert@...hat.com
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.