Kibana patches critical arbitrary code execution flaw
Take action: This is a nasty bug for all Internet accessible Kibana instances - which are signficant majority. First check whether your Kibana is exposed to the internet. If it is, patch ASAP, or lock it down in trusted network - then plan to patch.
Learn More
Elastic has released a security update for its open-source data visualization and exploration tool, Kibana.
This update addresses a vulnerability tracked as CVE-2024-37287 (CVSS score 9.9). The flaw allows an attacker with access to machine learning and alerting connector features, and write access to internal machine learning indices, to exploit prototype pollution. Prototype pollution occurs when an attacker can alter the prototype of a JavaScript object, injecting arbitrary properties inherited by all instances of the affected object. This vulnerability can lead to arbitrary code execution, thereby enabling attackers to take over Kibana instances.
Affected Versions:
- Kibana 8.x: Versions before 8.14.2
- Kibana 7.x: Versions before 7.17.23
Impacted Deployment Instances:
- Self-managed installations
- Docker images
- Elastic Cloud
- Elastic Cloud Enterprise (ECE)
- Elastic Cloud on Kubernetes (ECK)
Despite some environments having containment mechanisms, such as limiting code execution within containers, there are protections to prevent further exploitation, including container escapes.
Recommendations:
Users are strongly urged to upgrade to the latest patched versions:
- Kibana 8.x: Version 8.14.2
- Kibana 7.x: Version 7.17.23
These updates include essential patches that mitigate the risk of arbitrary code execution.
