Bug 1044849 (CVE-2016-10364)

Summary: VUL-0: kibana: Multiple security issues
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2017-8452:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) maint:planned:update
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-06-19 06:31:40 UTC
This is a courtesy bug from your friendly security team. We don't maintain
kibana but it seems like you have a vulnerable version in SUSE:SLE-12-SP3:Update:Products:Cloud8 (we didn't analyze the listed issues in detail, but it seems like the majority is present in your version). 
Feel free to close this bug at any time.

CVE-2017-8452
Summary: 	Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8452

CVE-2017-8451
Summary: 	With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8451

CVE-2017-8450
Summary: 	X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8450

CVE-2017-8449
Summary: 	X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8449

CVE-2016-10366
Summary: 	Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10366

CVE-2016-10365
Summary: 	Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10365

CVE-2016-10364
Summary: 	With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10364
Comment 2 Johannes Grassler 2021-01-15 12:31:38 UTC
This is going to be a long one, so here's the tl;dr:

1) None of the original CVEs in this bug affect us (details below).

2) While looking into them, I found a whole bunch of others on
   https://www.elastic.co/community/security, some of which definitely affect
   us and some of which might (details further below).

3) An update to 4.6.5 should take care of the first two "new" CVEs. From the
   change log that does not look like a problematic update, but I'll test drive
   it against all Cloud versions anyway to be sure. The remaining 3 will need
   backports if they do affect us.

The other recent CVEs listed on https://www.elastic.co/community/security
should _not_ affect us since they affect Kibana components or Node.js versions
we do not ship/use (I went through the whole list up to and including
CVE-2020-7017).

Original CVEs
=============

CVE-2017-8452, ESA-2017-02:

This one does not affect us since 4.6.3 does not have the problematic SSL
client access feature at all. That feature was introduced in

  https://github.com/elastic/kibana/commit/5a4263835d7af2eb4e91c80f6482865e727eee35

and removed again in

  https://github.com/elastic/kibana/commit/4662635087849c6341950f7d4eca58a31ae1cdf8

Both of these happened well after version 4.6.3 which we are shipping.


CVE-2017-8451, ESA-2017-04 / CVE-2017-8450, ESA-2017-01:

These two one do not affect us. We neither use the login page (we use
monasca-kibana-plugin for authentication through the openstack-dashboard
(Horizon) session), nor do we ship X-Pack (it's only included in Kibana itself
in versions 6.2 and up - we ship 4.6.3 which does not include it, yet).

CVE-2017-8449:

This one does not affect us since we do not ship X-Pack with Kibana.

CVE-2016-10366:

This one was fixed in Kibana 4.6.2 and we are shipping 4.6.3.

CVE-2016-10365:

This one was fixed in

  https://github.com/elastic/kibana/commit/3927080fc1659c5ea3b3c65f6068811f64acb423
  which is included in Kibana-4.6.3.

CVE-2016-10364

This one does not affect us since we do not ship X-Pack with Kibana. So much
for the CVEs mentioned


New CVEs found on https://www.elastic.co/community/security
===========================================================

While looking into them I did discover a whole lot of other CVEs that may
affect us on https://www.elastic.co/community/security though:

CVE-2017-11499 ESA-2017-14
The version of Node.js shipped in all versions of Kibana prior to
5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This
flaw could allow a remote attacker to consume resources within Node.js
preventing Kibana from servicing requests. Fixed in 4.6.5.

ESA-2017-16 Kibana versions prior to 5.5.2 had a cross-site scripting (XSS)
vulnerability in the markdown parser that could allow an attacker to obtain
sensitive information from or perform destructive actions on behalf of other
Kibana users. Fixed in 4.6.5.

CVE-2017-11479, ESA-2017-20 Kibana versions prior to 5.6.1 had a
cross-site scripting (XSS) vulnerability in Timelion that could allow an
attacker to obtain sensitive information from or perform destructive actions on
behalf of other Kibana users. Fixed in 5.6.1, backport to 4.6.x might be needed.

CVE-2017-11481, ESA-2017-22 Kibana versions prior to 6.0.1 and 5.6.5 had a
cross-site scripting (XSS) vulnerability via URL fields that could allow an
attacker to obtain sensitive information from or perform destructive actions on
behalf of other Kibana users. Fixed in 5.6.5, backport to 4.6.x might be needed.

CVE-2019-10744, ESA-2019-10 A prototype pollution flaw exists in lodash, a
component used by Kibana. An attacker with access to Kibana may be able to use
this lodash flaw to unexpectedly modify internal Kibana data. We may be
affected, but it may not be worth the - likely considerable - effort of
backporting since according to the advisory, "No exploitable vectors in Kibana
have been identified at the time of publishing.".
Comment 3 Johannes Grassler 2021-01-22 17:30:45 UTC
Alright, I've got packages with Kibana 4.6.6 (fixes 
CVE-2017-11499/ESA-2017-14 and ESA-2017-16) and an additional patch for 
CVE-2017-11481, ESA-2017-22 now:

https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Newton/kibana
https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Pike/kibana
https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Rocky/kibana

Strictly unofficial (they still need to pass CI/QA), but for me they worked for Cloud 7, Cloud 8, Cloud 9.

I did not patch the following two:

* CVE-2017-11479, ESA-2017-20: turns out this one does not apply to us since we do not ship timelion.
* CVE-2019-10744, ESA-2019-10: between upstream stating "No exploitable vectors in Kibana have been identified at the time of publishing." and a lodash update making massive changes to the original upstream tarball, I opted against updating lodash.


Update procedure
================

Kibana updates are a bit involved since they need configuration management intervention (the package update alone will leave Kibana in a broken state). You will have to force that intervention, but the procedure differs depending on Cloud version.

Cloud 7 / Cloud 8 Crowbar:

1) Update the Kibana package on the monasca-server node.
2) Delete /opt/monasca-installer/.installed on the Crowbar admin node.
3) Apply the Monasca barclamp.

Cloud 9 Crowbar:

1) Update the Kibana package on the monasca-server node.
2) Uninstall monasca-kibana-plugin on the monasca-server node.
3) Apply the Monasca barclamp.
Comment 4 Johannes Grassler 2021-02-23 18:20:59 UTC
Alright, I've debugged the problem now and it's down to ownership on files in /opt/kibana/optimize/ getting changed to root:root by the package upgrade. The problem is fixable in the spec, but the spec needs a little more attention still: right now it does not restart the service - I'll look into that tomorrow. Once I've got that fixed as well I'll submit the updated Kibana packages for all 3 cloud versions. Changes to configuration management will _not_ be needed.
Comment 5 Johannes Grassler 2021-03-10 12:59:03 UTC
Requests created:

https://build.opensuse.org/request/show/878170 (Cloud 7 / Openstack Newton)
https://build.opensuse.org/request/show/878171 (Cloud 8 / Openstack Pike)
https://build.opensuse.org/request/show/878172 (Cloud 9 / Openstack Rocky)

These solve the permission issue but _not_ the service restart issue. That will happen only upon the _next_ Kibana update (should that ever come to pass). I'll create and additional crowbar-openstack pull request to handle service restart for this one.
Comment 7 Johannes Grassler 2021-04-12 12:53:34 UTC
The last Crowbar pull requests (https://github.com/crowbar/crowbar-openstack/pull/2439 and https://github.com/crowbar/crowbar-openstack/pull/2438 ) have landed now, but Kibana refuses to start in new Cloud 9 deployments. Currently investigating...
Comment 8 Johannes Grassler 2021-04-13 14:42:43 UTC
Problem fixed: the previous set of requests accidentally removed /etc/sysconfig/kibana which prevented the service from starting in green fields deployments. Deployments with Kibana 4.6.3 already installed previously would not have been affected. These requests fix the problem (already tested and found to be working):

https://build.opensuse.org/request/show/885043 (Cloud 7)
https://build.opensuse.org/request/show/885044 (Cloud 8)
https://build.opensuse.org/request/show/885046 (Cloud 9)
Comment 11 Swamp Workflow Management 2021-06-11 16:20:06 UTC
SUSE-SU-2021:1963-1: An update that fixes 10 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1044849,1179805,1181379,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2019-25025,CVE-2020-29651,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-3281,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-11435
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2, grafana-6.7.4-1.24.2, kibana-4.6.6-9.2, monasca-installer-20180608_12.47-16.2, python-Django-1.8.19-3.29.1, python-py-1.8.1-11.16.2, rubygem-activerecord-session_store-0.1.2-3.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-06-11 16:26:01 UTC
SUSE-SU-2021:1962-1: An update that fixes 23 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1044849,1048688,1115960,1148383,1170657,1171909,1172409,1172450,1174583,1178243,1179805,1181277,1181278,1181689,1181690,1182317,1182433,1183174,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2018-19039,CVE-2019-15043,CVE-2019-25025,CVE-2020-10743,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-17516,CVE-2020-24303,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-10357,SOC-11453
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    cassandra-3.11.10-3.3.3, crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, rubygem-activerecord-session_store-0.1.2-4.3.2
SUSE OpenStack Cloud 9 (src):    ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2, ardana-swift-9.0+git.1618235096.90974ed-3.10.2, cassandra-3.11.10-3.3.3, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, venv-openstack-barbican-7.0.1~dev24-3.23.1, venv-openstack-cinder-13.0.10~dev20-3.26.1, venv-openstack-designate-7.0.2~dev2-3.23.1, venv-openstack-glance-17.0.1~dev30-3.21.1, venv-openstack-heat-11.0.4~dev4-3.23.1, venv-openstack-horizon-14.1.1~dev11-4.27.3, venv-openstack-ironic-11.1.5~dev17-4.21.2, venv-openstack-keystone-14.2.1~dev4-3.24.3, venv-openstack-magnum-7.2.1~dev1-4.23.1, venv-openstack-manila-7.4.2~dev60-3.29.1, venv-openstack-monasca-2.7.1~dev10-3.21.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.23.2, venv-openstack-neutron-13.0.8~dev164-6.27.3, venv-openstack-nova-18.3.1~dev82-3.27.3, venv-openstack-octavia-3.2.3~dev7-4.23.1, venv-openstack-sahara-9.0.2~dev15-3.23.1, venv-openstack-swift-2.19.2~dev48-2.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-07-28 19:20:20 UTC
SUSE-SU-2021:2554-1: An update that solves 16 vulnerabilities, contains 10 features and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1019074,1044849,1057496,1073879,1113302,1123064,1143893,1166139,1176784,1179805,1180507,1181277,1181278,1181689,1181828,1182433,1183174,1183803,1184148,1185623,1185836,1186608,1186611,940812
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2017-5929,CVE-2019-25025,CVE-2020-17516,CVE-2020-26247,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-21419,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: ECO-3105,PM-2352,SCRD-8523,SOC-11422,SOC-11470,SOC-11471,SOC-11521,SOC-11523,SOC-11525,SOC-9876
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    cassandra-3.11.10-5.3.5, crowbar-core-5.0+git.1622489449.a8e60e238-3.50.4, crowbar-openstack-5.0+git.1616001417.67fd9c2a1-4.52.5, documentation-suse-openstack-cloud-deployment-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, rubygem-activerecord-session_store-0.1.2-3.3.2
SUSE OpenStack Cloud 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-suse-openstack-cloud-installation-8.20210512-1.32.5, documentation-suse-openstack-cloud-operations-8.20210512-1.32.5, documentation-suse-openstack-cloud-opsconsole-8.20210512-1.32.5, documentation-suse-openstack-cloud-planning-8.20210512-1.32.5, documentation-suse-openstack-cloud-security-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, documentation-suse-openstack-cloud-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-12.0.5~dev6-14.36.6, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3
HPE Helion Openstack 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-hpe-helion-openstack-installation-8.20210512-1.32.5, documentation-hpe-helion-openstack-operations-8.20210512-1.32.5, documentation-hpe-helion-openstack-opsconsole-8.20210512-1.32.5, documentation-hpe-helion-openstack-planning-8.20210512-1.32.5, documentation-hpe-helion-openstack-security-8.20210512-1.32.5, documentation-hpe-helion-openstack-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-hpe-12.0.5~dev6-14.36.3, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.