Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 678948 (CVE-2019-7608, CVE-2019-7609, CVE-2019-7610, ESA-2019-01, ESA-2019-02, ESA-2019-03) - <www-apps/kibana-bin-{5.6.15,6.6.1}: multiple vulnerabilities (CVE-2019-{7608,7609,7610})
Summary: <www-apps/kibana-bin-{5.6.15,6.6.1}: multiple vulnerabilities (CVE-2019-{7608...
Status: RESOLVED FIXED
Alias: CVE-2019-7608, CVE-2019-7609, CVE-2019-7610, ESA-2019-01, ESA-2019-02, ESA-2019-03
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://discuss.elastic.co/t/elastic-...
Whiteboard: ~2 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2019-02-27 16:51 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 20:47 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-02-27 16:51:14 UTC 
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-02-27 16:55:52 UTC 
Kibana XSS issue (ESA-2019-01)

Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15

CVE ID: CVE-2019-7608

Kibana Timelion Remote Code Execution issue (ESA-2019-02)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.

CVE ID: CVE-2019-7609

Kibana audit logging Remote Code Execution issue (ESA-2019-03)

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Affected Versions
Kibana versions before 5.6.15 and 6.6.1

Solutions and Mitigations:
Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file.

CVE ID: CVE-2019-7610
Comment 2 Larry the Git Cow gentoo-dev 2019-03-04 15:57:51 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04f4063b154a36780b2433cfe24b0dab5364dbfa

commit 04f4063b154a36780b2433cfe24b0dab5364dbfa
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:55 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:24 +0000

    www-apps/kibana-bin: drop vulnerable
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                 |  7 ---
 www-apps/kibana-bin/kibana-bin-5.6.14.ebuild | 70 --------------------------
 www-apps/kibana-bin/kibana-bin-6.3.2.ebuild  | 71 --------------------------
 www-apps/kibana-bin/kibana-bin-6.4.3.ebuild  | 74 ----------------------------
 www-apps/kibana-bin/kibana-bin-6.5.4.ebuild  | 74 ----------------------------
 5 files changed, 296 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ef30d1919179741deff381ef991b62c1e17023f

commit 3ef30d1919179741deff381ef991b62c1e17023f
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:17 +0000

    www-apps/kibana-bin: bump to 6.6.1
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                |  2 +
 www-apps/kibana-bin/kibana-bin-6.6.1.ebuild | 74 +++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6a39fada98fb5e2153b25366445698f02ee683f8

commit 6a39fada98fb5e2153b25366445698f02ee683f8
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-03-04 10:52:04 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-03-04 15:54:09 +0000

    www-apps/kibana-bin: bump to 5.6.15
    
    Bug: https://bugs.gentoo.org/678948
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-apps/kibana-bin/Manifest                 |  1 +
 www-apps/kibana-bin/kibana-bin-5.6.15.ebuild | 70 ++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
Comment 3 Tomáš Mózes 2019-09-20 16:32:27 UTC 
No vulnerable version in tree. It has no stable versions.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 20:47:09 UTC 
Package has no stable ebuild.

Repository is clean, all done!