Editor's Note (September 7, 2018): This post refers to X-Pack. Starting with the 6.3 release, the X-Pack code is now open and fully integrated as features into the Elastic Stack.
Versions 6.2.4 and 5.6.9 of the Elastic Stack have been released today. These releases include two security fixes for X-Pack machine learning. Machine learning users should upgrade to one of these releases as soon as possible.
X-Pack Machine Learning XSS vulnerability (ESA-2018-06): X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with
manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
Affected versions: All versions before 6.2.4 and 5.6.9
CVE ID: CVE-2018-3823
X-Pack Machine Learning XSS vulnerability (ESA-2018-08): X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user. Affected versions: All versions before 6.2.4 and 5.6.9 CVE ID: CVE-2018-3824
- In 6.2.4 Elasticsearch fixed an edge case with periodic flushing that could lead to endless flush loops.
- Also in 6.2.4 Logstash improved the performance of
Event#cancel, where each operation would unnecessarily generate a new object. In configurations that use plugins like the
drop filterthroughput may increase up to 5x.
- In 5.6.9 a number of packetbeat fixes have been backported to 5.6. These improve parsing for HTTP, MySQL, MongoDB and AMQP data.