Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
No versions of Red Hat OpenStack Platform Operational Tools are affected by this flaw.
OpenShift Container Platform 3.11 and 4.1 contain 5.6.13: $ docker run -ti registry.redhat.io/openshift3/ose-logging-kibana5:v3.11 rpm -q kibana kibana-5.6.13-1.el7.x86_64 $ docker run -ti registry.redhat.io/openshift4/ose-logging-kibana5:4.1 rpm -q kibana kibana-5.6.13-1.el7.x86_64 (Note openshift3 vs openshift4 in repo; note v3.11 vs 4.1 in tag) OpenShift Container Platform 3.10 and earlier pre-date the reported kibana 5 issue. $ docker run -ti registry.redhat.io/openshift3/ose-logging-kibana:v3.10 rpm -q kibana kibana-4.6.4-4.el7.x86_64 docker run -ti registry.redhat.io/openshift3/ose-logging-kibana:v3.9 rpm -q kibana kibana-4.6.4-4.el7.x86_64
External References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Based on further analysis, this flaw warrants an "Important" severity, not "Moderate". Notes to explain differences in CVSS scoring have also been added.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2860 https://access.redhat.com/errata/RHSA-2019:2860
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-7609