Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 678948 (CVE-2019-7608, CVE-2019-7609, CVE-2019-7610, ESA-2019-01, ESA-2019-02, ESA-2019-03)

Summary: <www-apps/kibana-bin-{5.6.15,6.6.1}: multiple vulnerabilities (CVE-2019-{7608,7609,7610})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: hydrapolic, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
See Also: https://github.com/gentoo/gentoo/pull/11252
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-02-27 16:51:14 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-27 16:55:52 UTC
Kibana XSS issue (ESA-2019-01)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15

CVE ID: CVE-2019-7608

Kibana Timelion Remote Code Execution issue (ESA-2019-02)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.

CVE ID: CVE-2019-7609

Kibana audit logging Remote Code Execution issue (ESA-2019-03)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file.

CVE ID: CVE-2019-7610
Comment 2 Larry the Git Cow gentoo-dev 2019-03-04 15:57:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04f4063b154a36780b2433cfe24b0dab5364dbfa

commit 04f4063b154a36780b2433cfe24b0dab5364dbfa
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:24 +0000

    www-apps/kibana-bin: drop vulnerable
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                 |  7 ---
 www-apps/kibana-bin/kibana-bin-5.6.14.ebuild | 70 --------------------------
 www-apps/kibana-bin/kibana-bin-6.3.2.ebuild  | 71 --------------------------
 www-apps/kibana-bin/kibana-bin-6.4.3.ebuild  | 74 ----------------------------
 www-apps/kibana-bin/kibana-bin-6.5.4.ebuild  | 74 ----------------------------
 5 files changed, 296 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef30d1919179741deff381ef991b62c1e17023f

commit 3ef30d1919179741deff381ef991b62c1e17023f
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:17 +0000

    www-apps/kibana-bin: bump to 6.6.1
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                |  2 +
 www-apps/kibana-bin/kibana-bin-6.6.1.ebuild | 74 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a39fada98fb5e2153b25366445698f02ee683f8

commit 6a39fada98fb5e2153b25366445698f02ee683f8
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:09 +0000

    www-apps/kibana-bin: bump to 5.6.15
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                 |  1 +
 www-apps/kibana-bin/kibana-bin-5.6.15.ebuild | 70 ++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
Comment 3 Tomáš Mózes 2019-09-20 16:32:27 UTC
No vulnerable version in tree. It has no stable versions.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 20:47:09 UTC
Package has no stable ebuild.

Repository is clean, all done!