Bug 1834550 (CVE-2020-10743)

Summary: CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-16 13:17:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1832783, 1834554    
Bug Blocks: 1831257    

Description Jason Shepherd 2020-05-11 22:45:06 UTC 
It was discovered that kibana could be opened in an iframe, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in kibana (clickjacking).
Comment 3 Jason Shepherd 2020-05-11 23:23:03 UTC 
Upstream issue:

https://github.com/gardener/gardener/issues/1860
Comment 5 Jason Shepherd 2020-05-13 20:53:12 UTC 
The previous upstream issue references a similar issue in gardener, however the correct upstream project for this OpenShift Container Platform (OCP) component is actually github.com/elastic/kibana. They don't consider this a vulnerability, but may address it in a future release. For a discussion on this topic, see the this upstream issue:

https://github.com/elastic/kibana/issues/52809

The CVE assigned for this issue is for OCP's deployment of kibana only, not the upstream project.
Comment 8 Jason Shepherd 2020-05-13 21:06:42 UTC 
Statement:

This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version:

https://github.com/elastic/kibana/issues/52809
Comment 9 Jason Shepherd 2020-05-13 21:06:44 UTC 
Mitigation:

Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem:

config/kibana.yml:
server.customResponseHeaders: {"x-frame-options":"deny"}
or
server.customResponseHeaders: {"x-frame-options":"sameorigin"}

[1] https://github.com/elastic/kibana/pull/13045
Comment 10 errata-xmlrpc 2020-09-16 07:56:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:3727 https://access.redhat.com/errata/RHSA-2020:3727
Comment 11 Product Security DevOps Team 2020-09-16 13:17:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10743
Comment 13 errata-xmlrpc 2020-10-27 16:24:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298