Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
Statement: Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected. Red Hat OpenShift Container Platform 4.1, and 3.x do not install the vulnerable package (Shield for Kibana 4, and X-Pack for Kibana 5), so the impact is lowered to moderate.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2860 https://access.redhat.com/errata/RHSA-2019:2860
External References: https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077