Bug 1865759 (CVE-2020-7016)

Summary: CVE-2020-7016 kibana: DoS in Timelion
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kibana 7.8.1, kibana 6.8.11 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in kibana’s Timelion component. This flaw allows an attacker to construct a URL that can lead to the kibana process consuming large amounts of CPU and becoming unresponsive when viewed by a kibana user. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 08:25:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1871822, 1871823    
Bug Blocks: 1865761    

Description Dhananjay Arunesh 2020-08-04 04:52:10 UTC 
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

References:
https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786
https://www.elastic.co/community/security/
Comment 5 Przemyslaw Roguski 2020-08-21 17:01:08 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786
https://www.elastic.co/community/security/
Comment 9 Przemyslaw Roguski 2020-08-25 07:39:05 UTC 
Statement:

In Red Hat OpenShift Container Platform (RHOCP) the affected Kibana component is behind OpenShift OAuth authentication. This restricts access to the vulnerable Timelion Kibana component to authenticated users only, therefore the impact is Low.

Red Hat OpenShift Container Platform 4 delivers Kibana package where the Timelion tool is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.