Fedora Account System
Red Hat Associate
Red Hat Customer
It was discovered that kibana could be opened in an iframe, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in kibana (clickjacking).
Upstream issue: https://github.com/gardener/gardener/issues/1860
The previous upstream issue references a similar issue in gardener, however the correct upstream project for this OpenShift Container Platform (OCP) component is actually github.com/elastic/kibana. They don't consider this a vulnerability, but may address it in a future release. For a discussion on this topic, see the this upstream issue: https://github.com/elastic/kibana/issues/52809 The CVE assigned for this issue is for OCP's deployment of kibana only, not the upstream project.
Statement: This CVE relates specifically to OpenShift Container Platform's distribution of Kibana. Upstream Kibana don't consider this a vulnerability, but may address this in a future version: https://github.com/elastic/kibana/issues/52809
Mitigation: Any Kibana version with this commit [1] can add the following configuration option to mitigation the problem: config/kibana.yml: server.customResponseHeaders: {"x-frame-options":"deny"} or server.customResponseHeaders: {"x-frame-options":"sameorigin"} [1] https://github.com/elastic/kibana/pull/13045
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:3727 https://access.redhat.com/errata/RHSA-2020:3727
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10743
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298