Elastic reports critical vulnerabilities in Kibana, releases patch

The Kibana analysis and visualization platform is currently at risk due to two critical vulnerabilities that could allow attackers to execute arbitrary code on affected systems. These vulnerabilities, CVE-2024-37288 and CVE-2024-37285, are present in Kibana version 8.15.0 and earlier versions.

• CVE-2024-37288 (CVSS score 9.9) - This vulnerability is caused by a deserialization issue in Kibana's YAML document processing. When Kibana attempts to parse a YAML document with a crafted payload, it can lead to arbitrary code execution. This flaw affects users who utilize Elastic Security’s built-in AI tools and have configured an Amazon Bedrock connector.

  • Affected Versions: Kibana version 8.15.0.

• CVE-2024-37285 (CVSS score 9.1) - This vulnerability also results from a deserialization issue that could lead to arbitrary code execution when Kibana processes a YAML document with a specially crafted payload. However, a successful attack requires that the attacker meets several specific conditions

  • The attacker must have certain Elasticsearch indices privileges and Kibana privileges:

    • Write access to the system indices .kibana_ingest* and the allow_restricted_indices flag must be set to true.

    • Kibana Privileges: Any of the following privileges:

      • "All" privilege under Fleet.
      • "Read" or "All" privilege under Integration.
      • Access to the fleet-setup privilege through the Fleet Server’s service account token.

  • Affected Versions: Kibana versions from 8.10.0 up to and including 8.15.0.

The latest version of Kibana (8.15.1) addresses both CVE-2024-37288 and CVE-2024-37285. It is highly recommended that all users apply this update as soon as possible to secure their systems.

If an upgrade is not immediately possible, disable the integration assistant by modifying the kibana.yml file with:

xpack.integration_assistant.enabled: false