I. Overview

A Kibana remote code execution vulnerability (CVE-2019-7609) has recently been disclosed through an EXP by a security personnel outside China. An attacker with access to the Timelion application could send a request that will attempt to execute JavaScript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Therefore, we kindly remind you to arrange self-check and implement timely security hardening.

Reference links:

https://slides.com/securitymb/prototype-pollution-in-kibana

https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Product

Kibana versions before 6.6.1

Kibana versions before 5.6.15

IV. Solutions

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest version.

Kibana 6.6.1: https://www.elastic.co/downloads/past-releases/kibana-6-6-1

Kibana 5.6.15: https://www.elastic.co/downloads/past-releases/kibana-5-6-15

Workarounds

1. Set access permission control and strong passwords for Kibana.

2. Disable the Timelion application by setting the timelion.enabled parameter to false in the kibana.yml configuration file. If you need to use the Timelion application, do not expose it to the public network.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.