Bug 1130632 (CVE-2019-7610)

Summary: VUL-0: CVE-2019-7610: kibana: Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could se
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Cloud Bugs <cloud-bugs>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: bstephenson, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/227092/
Whiteboard: CVSSv2:NVD:CVE-2019-7610:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3:NVD:CVE-2019-7610:9.0:(AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2019-7610:8.1:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSSv3:SUSE:CVE-2019-7610:9.0:(AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-03-27 07:16:26 UTC 
CVE-2019-7610

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw
in the security audit logger. If a Kibana instance has the setting
xpack.security.audit.enabled set to true, an attacker could send a request that
will attempt to execute javascript code. This could possibly lead to an attacker
executing arbitrary commands with permissions of the Kibana process on the host
system.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7610
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7610
https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077
https://www.elastic.co/community/security
Comment 2 Marcus Meissner 2019-03-28 05:35:11 UTC 
We do not install xpack -> we are not affected.