Please send security vulnerability reports to security@elastic.co. This address can be used for all of Elastic's open source and commercial products, the Elastic Cloud service, and the elastic.co website. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on.

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available from pgp.mit.edu; search for elasticsearch.

Submitting an Issue

When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it and release the fix in a timeframe that matches the severity.

Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the issue.

About Elastic Security Advisories

An Elastic Security Advisory ("ESA") is a notice from Elastic to its users of security issues with the Elastic products. Elastic assigns both a CVE and an ESA identifier to each advisory along with a summary and remediation and mitigation details. All new advisories are announced in the Security Announcements forum. These announcements may be tracked via an RSS feed.

Previously Announced Vulnerabilities

Logstash
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2018-01 CVE-2018-3817 2018-01-16 When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information. Users should upgrade to Logstash version 6.1.2 or 5.6.6. If you are unable to upgrade you should review your settings to ensure no deprecated settings are used in your environment.
ESA-2017-05 CVE-2017-5645 2017-04-20 The version of Apache Log4j used in Logstash was vulnerable to an object deserialization flaw. This flaw could result in remote code execution by an attacker able to send arbitrary data to a Logstash Log4j plugin. Users that currently use Logstash Log4j input plugin should upgrade the logstash-input-log4j plugin to version 3.0.5
ESA-2016-08 CVE-2016-10362
2016-11-15 Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-06 CVE-2016-10363
2016-09-22 In Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit. Users that currently use Logstash's netflow codec plugin or may want to use it in the future should upgrade to 2.3.3 or later versions.
ESA-2016-02 CVE-2016-1000221 2016-07-07 Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-01 CVE-2016-1000222 2016-02-02 Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
ESA-2015-09 CVE-2015-5619 2015-07-22 All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this. Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
ESA-2015-07 CVE-2015-5378 2015-06-30 All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data. Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
ESA-2015-04 CVE-2015-4152 2015-06-09 All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user. Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
ESA-2014-02 CVE-2014-4326 2014-06-24 Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands. Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.
Elasticsearch
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2018-07 CVE-2018-3822 2018-03-20 X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw. Users should upgrade to Elasticsearch version 6.2.3.
ESA-2017-19 CVE-2017-8448 2017-09-18 An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.  Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.
Users mapped to the built-in “watcher_admin” or “machine_learning_admin” roles, or any other role to which the “manage_ml” or “manage_watcher” cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.
ESA-2017-18 CVE-2017-8447 2017-09-11 An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the ‘delete’ and ‘index’ permission from untrusted users.
ESA-2017-15 CVE-2017-8445 2017-08-17 An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
X-Pack Security users should upgrade to version 5.5.2. Please note this attack cannot be triggered remotely. The most likely scenario would be local system corruption. Even though crossing a trust boundary cannot be forced by an attacker, we consider a security feature failing in this manner to be a flaw.
ESA-2017-10 CVE-2017-8442 2017-07-06 Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. All users of X-Pack security should upgrade to version 5.5.0. This update will prevent the _nodes API from returning sensitive settings. If you cannot upgrade any sensitive settings can be hidden by using the X-Pack hide_settings configuration option.
ESA-2017-09 CVE-2017-8441 2017-06-01 X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias. All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade disabling the request cache on an index will mitigate this bug.
ESA-2017-06 CVE-2017-8438 2017-06-01 X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen. User currently using run_as functionality should upgrade to X-Pack Security 5.4.1
ESA-2017-03 CVE-2017-8449 2017-03-28 When merging multiple rules with field level security rules for the same index, X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules.
ESA-2017-01 CVE-2017-8450 2017-01-23 In some cases, X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. Users should upgrade to v5.1.2 or above, or restrict access to the multi-search and multi-get APIs.
ESA-2015-08 CVE-2015-5531 2015-07-16 Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack. Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
ESA-2015-06 CVE-2015-5377 2015-07-16 Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution. Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
ESA-2015-05 CVE-2015-4165 2015-04-27 All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications. Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
ESA-2015-02 CVE-2015-3337 2015-04-27 All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS. Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
ESA-2015-01 CVE-2015-1427 2015-02-11 Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
ESA-2014-03 CVE-2014-6439 2014-11-05 Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise. Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
ESA-2014-01 CVE-2014-3120 2014-05-22 In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands. Disable dynamic scripting.
Kibana
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2018-08 CVE-2018-3824 2018-04-17 X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-06 CVE-2018-3823 2018-04-17 X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-05 CVE-2018-3821 2018-01-30 Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-04 CVE-2018-3820 2018-01-30 Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users of affected versions should upgrade to Kibana version 6.1.3. There are no known workarounds for this issue.
ESA-2018-03 CVE-2018-3819 2018-01-30 The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-02 CVE-2018-3818 2018-01-16 Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.1.2 or 5.6.6. There are no known workarounds for this issue.
ESA-2017-24 CVE-2017-1001002 2017-12-19 Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set “metrics.enabled: false” in the kibana.yml file to disable the Time Series Visual Builder feature.
ESA-2017-23 CVE-2017-11482 2017-12-06 The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-22 CVE-2017-11481 2017-12-06 Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-20 CVE-2017-11479 2017-09-18 Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.
ESA-2017-17 CVE-2017-8446 2017-08-17 The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data. Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
ESA-2017-16 2017-08-17 Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Users should upgrade to Kibana version 5.5.2 or 4.6.5.
ESA-2017-14 CVE-2017-11499 2017-07-25 The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests. Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.
ESA-2017-11 CVE-2017-8443 2017-06-27 In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability.  Kibana users concerned with this issue should upgrade to version 5.4.3 or later. 
ESA-2017-08 CVE-2017-8440 2017-06-01 Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.  Thanks to Thomas Gøytil for reporting this issue. All users of Kibana 5.3 or 5.4 should upgrade to versions 5.3.3 and 5.4.1.
ESA-2017-07 CVE-2017-8439 2017-06-01 Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. All Kibana 5.4.0 users should upgrade to version 5.4.1. If upgrading is impossible, the time series visual builder can be disabled by setting metrics.enabled: false in the kibana.yml. Note that this will trigger a re-optimization when you restart Kibana.
ESA-2017-04 CVE-2017-8451
2017-04-20 With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected. Users should upgrade to Kibana version 5.3.1 as soon as possible. Users on Kibana 4.6 should update the Kibana Shield plugin to 2.4.5.
ESA-2017-02 CVE-2017-8452
2017-02-14 When Kibana is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process. Users of previous versions Kibana 5 that have SSL configured should upgrade to 5.2.1 immediately. Terminating SSL at a reverse proxy or load balancer will act as a workaround. Kibana version 4 is not affected.
ESA-2016-10 CVE-2016-10364
2016-11-29 With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, so any authenticated user could make requests to those services regardless of their own permissions. Users of Kibana and X-Pack versions 5.0.0 and 5.0.1 that have user-specific permissions for advanced settings or short URLs should upgrade to 5.0.2 as soon as possible.
ESA-2016-09 CVE-2016-10365
2016-11-15 Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Thanks to the GE Digital Security Team for finding the issue. Users should upgrade to 5.0.1 or 4.6.3 as soon as possible.
ESA-2016-07 CVE-2016-10366
2016-10-24 Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users of Kibana 4.3 or greater should upgrade to Kibana 4.6.2 immediately.
ESA-2016-05 CVE-2016-1000218 2016-09-06 Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.
ESA-2016-04 CVE-2016-1000219 2016-08-03 When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2016-03 CVE-2016-1000220 2016-08-03 Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Users should upgrade to 4.5.4 or 4.1.11.
ESA-2015-11 CVE-2015-9056
2015-12-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-10 CVE-2015-8131 2015-11-17 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack. Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-03 CVE-2015-4093 2015-06-29 Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack. Users should upgrade to 4.0.3.

Beats
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-21 CVE-2017-11480 2017-01-07 Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic. Users should upgrade to Packetbeat version 5.6.4. This issue can be avoided by disabling the PostgreSQL protocol.

Elastic Cloud Enterprise
ESA ID CVE Date Disclosed Vulnerability Summary Remediation Summary
ESA-2017-13 CVE-2017-8444 2017-09-12 The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data. All Elastic Cloud Enterprise users should upgrade to version 1.0.2. There is no known workaround for this issue.