Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
No versions of Red Hat OpenStack Platform Operational Tools are affected by this flaw.
OpenShift Container Platform 3.11 and 4.1 contain 5.6.13: $ docker run -ti registry.redhat.io/openshift3/ose-logging-kibana5:v3.11 rpm -q kibana kibana-5.6.13-1.el7.x86_64 $ docker run -ti registry.redhat.io/openshift4/ose-logging-kibana5:4.1 rpm -q kibana kibana-5.6.13-1.el7.x86_64 (Note openshift3 vs openshift4 in repo; note v3.11 vs 4.1 in tag) OpenShift Container Platform 3.10 and earlier pre-date the reported kibana 5 issue. $ docker run -ti registry.redhat.io/openshift3/ose-logging-kibana:v3.10 rpm -q kibana kibana-4.6.4-4.el7.x86_64 docker run -ti registry.redhat.io/openshift3/ose-logging-kibana:v3.9 rpm -q kibana kibana-4.6.4-4.el7.x86_64
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2860 https://access.redhat.com/errata/RHSA-2019:2860
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-7608