Please send security vulnerability reports to email@example.com. This address can be used for all of Elastic's open source and commercial products, the Elastic Cloud service, and the elastic.co website. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on.
If you would like to encrypt your message to us, please use our PGP key. The fingerprint is
1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2
When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it and release the fix in a timeframe that matches the severity.
Let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the issue.
An Elastic Security Advisory ("ESA") is a notice from Elastic to its users of security issues with the Elastic products. Elastic assigns both a CVE and an ESA identifier to each advisory along with a summary and remediation and mitigation details. All new advisories are announced in the Security Announcements forum. These announcements may be tracked via an RSS feed.
|ESA ID||CVE||Date Disclosed||Vulnerability Summary||Remediation Summary|
|ESA-2019-05||CVE-2019-7612||2019-02-19||A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.||Users should upgrade to Logstash version 6.6.1 or 5.6.15|
|ESA-2018-01||CVE-2018-3817||2018-01-16||When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information.||Users should upgrade to Logstash version 6.1.2 or 5.6.6. If you are unable to upgrade you should review your settings to ensure no deprecated settings are used in your environment.|
|ESA-2017-05||CVE-2017-5645||2017-04-20||The version of Apache Log4j used in Logstash was vulnerable to an object deserialization flaw. This flaw could result in remote code execution by an attacker able to send arbitrary data to a Logstash Log4j plugin.||Users that currently use Logstash Log4j input plugin should upgrade the logstash-input-log4j plugin to version 3.0.5|
|ESA-2016-08||CVE-2016-10362||2016-11-15||Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.||Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.|
|ESA-2016-06||CVE-2016-10363||2016-09-22||In Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.||Users that currently use Logstash's netflow codec plugin or may want to use it in the future should upgrade to 2.3.3 or later versions.|
|ESA-2016-02||CVE-2016-1000221||2016-07-07||Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.||Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.|
|ESA-2016-01||CVE-2016-1000222||2016-02-02||Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.||Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.|
|ESA-2015-09||CVE-2015-5619||2015-07-22||All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this.||Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.|
|ESA-2015-07||CVE-2015-5378||2015-06-30||All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data.||Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.|
|ESA-2015-04||CVE-2015-4152||2015-06-09||All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user.||Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.|
|ESA-2014-02||CVE-2014-4326||2014-06-24||Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands.||Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.|
|ESA ID||CVE||Date Disclosed||Vulnerability Summary||Remediation Summary|
|ESA-2019-04||CVE-2019-7611||2019-02-19||A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.||Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15. Users unable to upgrade can change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true.|
|ESA-2018-19||CVE-2018-17247||2018-12-05||Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s find_file_structure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.|
Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail.
|Affected users should upgrade to Elasticsearch version 6.5.2.|
|ESA-2018-16||CVE-2018-17244||2018-11-06||Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.||Users should upgrade to Elasticsearch version 6.4.3.|
If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.
|ESA-2018-15||CVE-2018-3831||2018-09-18||Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.||Users should upgrade to Elasticsearch version 6.4.1 or 5.6.12. There are no known workarounds for this issue.|
|ESA-2018-10||CVE-2018-3826||2018-06-13||In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.|
Although it is advised in the 6.X _snapshot API documentation to define the access_key and security_key parameters in the keystore, it is still possible to define them outside of the keystore using the API.
|All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the _snapshot API from returning the access_key and security_key parameters in plain text.|
|ESA-2018-11||CVE-2018-3827||2018-06-13||A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.||All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the repository-azure plugin to expose Azure credentials in Elasticsearch logs.|
|ESA-2018-07||CVE-2018-3822||2018-03-20||X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.||Users should upgrade to Elasticsearch version 6.2.3.|
|ESA-2017-19||CVE-2017-8448||2017-09-18||An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.||Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.|
Users mapped to the built-in "watcher_admin" or "machine_learning_admin" roles, or any other role to which the "manage_ml" or "manage_watcher" cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.
|ESA-2017-18||CVE-2017-8447||2017-09-11||An error was found in the X-Pack Security privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.||X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the 'delete' and 'index' permission from untrusted users.|
|ESA-2017-15||CVE-2017-8445||2017-08-17||An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.||X-Pack Security users should upgrade to version 5.5.2. Please note this attack cannot be triggered remotely. The most likely scenario would be local system corruption. Even though crossing a trust boundary cannot be forced by an attacker, we consider a security feature failing in this manner to be a flaw.|
|ESA-2017-10||CVE-2017-8442||2017-07-06||Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.||All users of X-Pack security should upgrade to version 5.5.0. This update will prevent the _nodes API from returning sensitive settings. If you cannot upgrade any sensitive settings can be hidden by using the X-Pack hide_settings configuration option.|
|ESA-2017-09||CVE-2017-8441||2017-06-01||X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.||All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade disabling the request cache on an index will mitigate this bug.|
|ESA-2017-06||CVE-2017-8438||2017-06-01||X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.||User currently using run_as functionality should upgrade to X-Pack Security 5.4.1|
|ESA-2017-03||CVE-2017-8449||2017-03-28||When merging multiple rules with field level security rules for the same index, X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules.|
|ESA-2017-01||CVE-2017-8450||2017-01-23||In some cases, X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.||Users should upgrade to v5.1.2 or above, or restrict access to the multi-search and multi-get APIs.|
|ESA-2015-08||CVE-2015-5531||2015-07-16||Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.||Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.|
|ESA-2015-06||CVE-2015-5377||2015-07-16||Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.||Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.|
|ESA-2015-05||CVE-2015-4165||2015-04-27||All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.||Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.|
|ESA-2015-02||CVE-2015-3337||2015-04-27||All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.||Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.|
|ESA-2015-01||CVE-2015-1427||2015-02-11||Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.||Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.|
|ESA-2014-03||CVE-2014-6439||2014-11-05||Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.||Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.|
|ESA-2014-01||CVE-2014-3120||2014-05-22||In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.||Disable dynamic scripting.|
|ESA ID||CVE||Date Disclosed||Vulnerability Summary||Remediation Summary|
|ESA-2019-01||CVE-2019-7608||2019-02-19||Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 6.6.1 or 5.6.15|
|ESA-2018-17||CVE-2018-17245||2018-11-06||Yuri Astrakhan and Nick Peihl of Elastic discovered Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.||Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13|
Users unable to upgrade can disable the Reporting feature in Kibana by setting xpack.reporting.enabled to false in the kibana.yml file. This does not prevent previously leaked credentials from being reused.
For more information about mitigating from this flaw please see our blog post.
Users unable to upgrade can disable the Kibana Console plugin. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file.
|ESA-2018-14||CVE-2018-3830||2018-09-18||Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 6.4.1 or 5.6.12. There are no known workarounds for this issue.|
|ESA-2018-08||CVE-2018-3824||2018-04-17||X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.||Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9|
|ESA-2018-06||CVE-2018-3823||2018-04-17||X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.||Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9|
|ESA-2018-05||CVE-2018-3821||2018-01-30||Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.|
|ESA-2018-04||CVE-2018-3820||2018-01-30||Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users of affected versions should upgrade to Kibana version 6.1.3. There are no known workarounds for this issue.|
|ESA-2018-03||CVE-2018-3819||2018-01-30||The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.||Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.|
|ESA-2018-02||CVE-2018-3818||2018-01-16||Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 6.1.2 or 5.6.6. There are no known workarounds for this issue.|
|ESA-2017-24||CVE-2017-1001002||2017-12-19||Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.||Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set "metrics.enabled: false" in the kibana.yml file to disable the Time Series Visual Builder feature.|
|ESA-2017-23||CVE-2017-11482||2017-12-06||The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.||Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.|
|ESA-2017-22||CVE-2017-11481||2017-12-06||Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.|
|ESA-2017-20||CVE-2017-11479||2017-09-18||Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.|
|ESA-2017-17||CVE-2017-8446||2017-08-17||The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.||Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.|
|ESA-2017-16||2017-08-17||Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.||Users should upgrade to Kibana version 5.5.2 or 4.6.5.|
|ESA-2017-14||CVE-2017-11499||2017-07-25||The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests.||Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.|
|ESA-2017-11||CVE-2017-8443||2017-06-27||In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.||We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability. Kibana users concerned with this issue should upgrade to version 5.4.3 or later.|
|ESA-2017-08||CVE-2017-8440||2017-06-01||Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Thanks to Thomas Gøytil for reporting this issue.||All users of Kibana 5.3 or 5.4 should upgrade to versions 5.3.3 and 5.4.1.|
|ESA-2017-07||CVE-2017-8439||2017-06-01||Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.||All Kibana 5.4.0 users should upgrade to version 5.4.1. If upgrading is impossible, the time series visual builder can be disabled by setting metrics.enabled: false in the kibana.yml. Note that this will trigger a re-optimization when you restart Kibana.|
|ESA-2017-04||CVE-2017-8451||2017-04-20||With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected.||Users should upgrade to Kibana version 5.3.1 as soon as possible. Users on Kibana 4.6 should update the Kibana Shield plugin to 2.4.5.|
|ESA-2017-02||CVE-2017-8452||2017-02-14||When Kibana is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process.||Users of previous versions Kibana 5 that have SSL configured should upgrade to 5.2.1 immediately. Terminating SSL at a reverse proxy or load balancer will act as a workaround. Kibana version 4 is not affected.|
|ESA-2016-10||CVE-2016-10364||2016-11-29||With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, so any authenticated user could make requests to those services regardless of their own permissions.||Users of Kibana and X-Pack versions 5.0.0 and 5.0.1 that have user-specific permissions for advanced settings or short URLs should upgrade to 5.0.2 as soon as possible.|
|ESA-2016-09||CVE-2016-10365||2016-11-15||Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Thanks to the GE Digital Security Team for finding the issue.||Users should upgrade to 5.0.1 or 4.6.3 as soon as possible.|
|ESA-2016-05||CVE-2016-1000218||2016-09-06||Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.||Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.|
|ESA-2016-04||CVE-2016-1000219||2016-08-03||When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.||Users should upgrade to 4.5.4 or 4.1.11.|
|ESA-2015-11||CVE-2015-9056||2015-12-17||Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.||Users should upgrade to 4.1.3 or 4.2.1.|
|ESA-2015-10||CVE-2015-8131||2015-11-17||Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack.||Users should upgrade to 4.1.3 or 4.2.1.|
|ESA-2015-03||CVE-2015-4093||2015-06-29||Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack.||Users should upgrade to 4.0.3.|
|ESA ID||CVE||Date Disclosed||Vulnerability Summary||Remediation Summary|
|ESA-2019-06||CVE-2019-7613||2019-03-19||Nate Guagenti (@neu5ron), solutions engineer with Perched Inc. reported an issue in Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.||Users should upgrade to Winlogbeat version 6.6.2 or 5.6.16|
|ESA-2017-21||CVE-2017-11480||2017-01-07||Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.||Users should upgrade to Packetbeat version 5.6.4. This issue can be avoided by disabling the PostgreSQL protocol.|
Elastic Cloud Enterprise
|ESA ID||CVE||Date Disclosed||Vulnerability Summary||Remediation Summary|
|ESA-2018-09||CVE-2018-3825||2018-06-13||In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.||New deployments should target 1.1.4 or greater release. It is recommended that existing deployments perform an upgrade. Additionally ECE deployments that are susceptible to remote code execution are recommended to rotate their existing credentials using a cleanup script. Please find instructions and more information in the release notes|
|ESA-2018-12||CVE-2018-3828||2018-06-13||Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.||All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure credentials are properly redacted under error conditions.|
|ESA-2018-13||CVE-2018-3829||2018-06-13||In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.||All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure role tokens are properly revoked for previous deleted runner roles.|
|ESA-2017-13||CVE-2017-8444||2017-09-12||The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.||All Elastic Cloud Enterprise users should upgrade to version 1.0.2. There is no known workaround for this issue.|