Bug 1696032 (CVE-2019-7610)

Summary: CVE-2019-7610 kibana: Audit logging Remote Code Execution issue
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dbecker, dedgar, eparis, jburrell, jcantril, jgoulding, jjoyce, jokerman, jschluet, kbasil, lhh, lpeer, mburns, mchappel, mmagr, nstielau, sclewis, slinaber, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kibana 5.6.15, kibana 6.6.1 Doc Type: If docs needed, set a value
Doc Text:
An arbitrary code execution flaw was found in Kibana in versions prior to 5.6.15 and 6.6.1. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:53:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1747796    
Bug Blocks: 1696033    

Description Pedro Sampaio 2019-04-04 03:47:15 UTC 
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

References:

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Comment 10 Jason Shepherd 2019-09-26 06:23:23 UTC 
Statement:

Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.

Red Hat OpenShift Container Platform 4.1, and 3.x do not install the vulnerable package (Shield for Kibana 4, and X-Pack for Kibana 5), so the impact is lowered to moderate.
Comment 11 errata-xmlrpc 2019-09-27 01:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2860 https://access.redhat.com/errata/RHSA-2019:2860
Comment 13 Eric Christensen 2020-04-29 14:16:36 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077