Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. References: https://www.elastic.co/community/security Introduced in commit: https://github.com/elastic/kibana/commit/0d3461c2c995e7ce5bb3e04ba5cecbc05a5386ab#diff-263cb6070b4e54ae3b4c343d14d0813bR25 Upstream issue: https://github.com/elastic/kibana/pull/24399 Upstream patch: https://github.com/elastic/kibana/commit/51aff7d3c49724fcbaba4353dff0cd7c3be799b0
The console api_server was not introduced until version 5, prior versions do not contain the vulnerable functionality. Diff from 5.6.12 -> 5.6.13 --------------------------- --- a/src/core_plugins/console/api_server/server.js +++ b/src/core_plugins/console/api_server/server.js @@ -1,12 +1,14 @@ let _ = require("lodash"); - +const KNOWN_APIS = ['es_5_0']; module.exports.resolveApi = function (sense_version, apis, reply) { let result = {}; _.each(apis, function (name) { { - // for now we ignore sense_version. might add it in the api name later - let api = require('./' + name); - result[name] = api.asJson(); + if (KNOWN_APIS.includes(name)) { + // for now we ignore sense_version. might add it in the api name later + let api = require('./' + name); + result[name] = api.asJson(); + } } });
openshift-enterprise-3.11: ships kibana-5.6.10, which is affected
openshift-enterprise-3.x prior to 3.11: the versions of kibana shipped in these prior releases of OCP do not contain the console plugin or the commit [1] which introduced the vulnerable code [1] https://github.com/elastic/kibana/commit/0d3461c2c995e7ce5bb3e04ba5cecbc05a5386ab#diff-263cb6070b4e54ae3b4c343d14d0813bR25
External References: https://www.elastic.co/community/security