Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANO=Ty1b8mrUZQQuxwiVykKg1C-_qxbfuczbQxEL=8cBYfG9Nw@mail.gmail.com>
Date: Thu, 8 Sep 2016 09:02:24 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>, security@...stis.co
Subject: CVEs for public Kibana / logstash issues

I just checked https://www.elastic.co/community/security and the Kibana
issues do not have CVEs, can you please assign CVEs for:

Kibana:

ESA-2016-05 2016-09-06
Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability
that could allow an attacker to generate superfluous reports whenever an
authenticated Kibana user navigates to a specially-crafted page. Users of
the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.

ESA-2016-04 2016-08-03
When a custom output is configured for logging in versions of Kibana before
4.5.4 and 4.1.11, cookies and authorization headers could be written to the
log files. This information could be used to hijack sessions of other users
when using Kibana behind some form of authentication such as Shield. Users
should upgrade to 4.5.4 or 4.1.11.

ESA-2016-03 2016-08-03
Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
that would allow an attacker to execute arbitrary JavaScript in users'
browsers. Users should upgrade to 4.5.4 or 4.1.11.

Logstash:

ESA-2016-02 2016-07-07
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP
authorization headers which could contain sensitive information. Users who
secure communication from Logstash to Elasticsearch via Basic Authorization
using Elastic Shield or other systems are advised to upgrade to this
version.

ESA-2016-01 2016-02-02
Prior to version 2.1.2, the CSV output can be attacked via engineered input
that will create malicious formulas in the CSV data. Users that currently
use Logstash CSV output plugin or may want to use it in the future should
upgrade to 2.2.0 or 2.1.2.

Thanks

-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.