Bug 1696032 (CVE-2019-7610) - CVE-2019-7610 kibana: Audit logging Remote Code Execution issue
Summary: CVE-2019-7610 kibana: Audit logging Remote Code Execution issue
Alias: CVE-2019-7610
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1747796
Blocks: 1696033
TreeView+ depends on / blocked
Reported: 2019-04-04 03:47 UTC by Pedro Sampaio
Modified: 2020-01-24 00:20 UTC (History)
19 users (show)

Fixed In Version: kibana 5.6.15, kibana 6.6.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:53:26 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2860 None None None 2019-09-27 01:35:13 UTC

Description Pedro Sampaio 2019-04-04 03:47:15 UTC
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.



Comment 10 Jason Shepherd 2019-09-26 06:23:23 UTC

Red Hat OpenStack Platform 8.0/9.0 Operational Tools Kibana/Elasticsearch versions do not include nor support X-Pack (8/9 versions must use the optional Shield, also not packaged); not affected.

Red Hat OpenShift Container Platform 4.1, and 3.x do not install the vulnerable package (Shield for Kibana 4, and X-Pack for Kibana 5), so the impact is lowered to moderate.

Comment 11 errata-xmlrpc 2019-09-27 01:35:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2860 https://access.redhat.com/errata/RHSA-2019:2860

Note You need to log in before you can comment on or make changes to this bug.