Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 9 Sep 2016 09:42:12 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, security@...stis.co
Subject: Re: CVEs for public Kibana / logstash issues

As per discussion with MITRE the DWF will assign these CVEs (I had assumed
Elastic.co had asked for some already hence the public query). The CVEs for
this are in commit:
https://github.com/distributedweaknessfiling/DWF-Database/commit/b894223ca5da3dd5bb9dde8ba6b13cf2c53fa1fe

On Thu, Sep 8, 2016 at 9:02 AM, Kurt Seifried <kseifried@...hat.com> wrote:

> I just checked https://www.elastic.co/community/security and the Kibana
> issues do not have CVEs, can you please assign CVEs for:
>
> Kibana:
>
> ESA-2016-05 2016-09-06
> Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF
> vulnerability that could allow an attacker to generate superfluous reports
> whenever an authenticated Kibana user navigates to a specially-crafted page. Users
> of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to
> 2.4.1.
>

CVE-2016-1000218


>
> ESA-2016-04 2016-08-03
> When a custom output is configured for logging in versions of Kibana
> before 4.5.4 and 4.1.11, cookies and authorization headers could be written
> to the log files. This information could be used to hijack sessions of
> other users when using Kibana behind some form of authentication such as
> Shield. Users should upgrade to 4.5.4 or 4.1.11.
>

CVE-2016-1000219


>
> ESA-2016-03 2016-08-03
> Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
> that would allow an attacker to execute arbitrary JavaScript in users'
> browsers. Users should upgrade to 4.5.4 or 4.1.11.
>

CVE-2016-1000220


>
> Logstash:
>
> ESA-2016-02 2016-07-07
> Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP
> authorization headers which could contain sensitive information. Users
> who secure communication from Logstash to Elasticsearch via Basic
> Authorization using Elastic Shield or other systems are advised to upgrade
> to this version.
>

CVE-2016-1000221


>
> ESA-2016-01 2016-02-02
> Prior to version 2.1.2, the CSV output can be attacked via engineered
> input that will create malicious formulas in the CSV data. Users that
> currently use Logstash CSV output plugin or may want to use it in the
> future should upgrade to 2.2.0 or 2.1.2.
>

CVE-2016-1000222


>
> Thanks
>
> --
>
> --
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert@...hat.com
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.