Bug 1044849 – VUL-0: kibana: Multiple security issues

Bug 1044849 - (CVE-2016-10364) VUL-0: kibana: Multiple security issues

(CVE-2016-10364)
Summary:	VUL-0: kibana: Multiple security issues

Status:	IN_PROGRESS

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2017-8452:5.3:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-06-19 06:31 UTC by Johannes Segitz
Modified:	2022-08-01 10:46 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2017-06-19 06:31:40 UTC

This is a courtesy bug from your friendly security team. We don't maintain
kibana but it seems like you have a vulnerable version in SUSE:SLE-12-SP3:Update:Products:Cloud8 (we didn't analyze the listed issues in detail, but it seems like the majority is present in your version). 
Feel free to close this bug at any time.

CVE-2017-8452
Summary: 	Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8452

CVE-2017-8451
Summary: 	With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8451

CVE-2017-8450
Summary: 	X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8450

CVE-2017-8449
Summary: 	X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8449

CVE-2016-10366
Summary: 	Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10366

CVE-2016-10365
Summary: 	Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10365

CVE-2016-10364
Summary: 	With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
Url: 	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10364

Comment 2 Johannes Grassler 2021-01-15 12:31:38 UTC

This is going to be a long one, so here's the tl;dr:

1) None of the original CVEs in this bug affect us (details below).

2) While looking into them, I found a whole bunch of others on
   https://www.elastic.co/community/security, some of which definitely affect
   us and some of which might (details further below).

3) An update to 4.6.5 should take care of the first two "new" CVEs. From the
   change log that does not look like a problematic update, but I'll test drive
   it against all Cloud versions anyway to be sure. The remaining 3 will need
   backports if they do affect us.

The other recent CVEs listed on https://www.elastic.co/community/security
should _not_ affect us since they affect Kibana components or Node.js versions
we do not ship/use (I went through the whole list up to and including
CVE-2020-7017).

Original CVEs
=============

CVE-2017-8452, ESA-2017-02:

This one does not affect us since 4.6.3 does not have the problematic SSL
client access feature at all. That feature was introduced in

  https://github.com/elastic/kibana/commit/5a4263835d7af2eb4e91c80f6482865e727eee35

and removed again in

  https://github.com/elastic/kibana/commit/4662635087849c6341950f7d4eca58a31ae1cdf8

Both of these happened well after version 4.6.3 which we are shipping.


CVE-2017-8451, ESA-2017-04 / CVE-2017-8450, ESA-2017-01:

These two one do not affect us. We neither use the login page (we use
monasca-kibana-plugin for authentication through the openstack-dashboard
(Horizon) session), nor do we ship X-Pack (it's only included in Kibana itself
in versions 6.2 and up - we ship 4.6.3 which does not include it, yet).

CVE-2017-8449:

This one does not affect us since we do not ship X-Pack with Kibana.

CVE-2016-10366:

This one was fixed in Kibana 4.6.2 and we are shipping 4.6.3.

CVE-2016-10365:

This one was fixed in

  https://github.com/elastic/kibana/commit/3927080fc1659c5ea3b3c65f6068811f64acb423
  which is included in Kibana-4.6.3.

CVE-2016-10364

This one does not affect us since we do not ship X-Pack with Kibana. So much
for the CVEs mentioned


New CVEs found on https://www.elastic.co/community/security
===========================================================

While looking into them I did discover a whole lot of other CVEs that may
affect us on https://www.elastic.co/community/security though:

CVE-2017-11499 ESA-2017-14
The version of Node.js shipped in all versions of Kibana prior to
5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This
flaw could allow a remote attacker to consume resources within Node.js
preventing Kibana from servicing requests. Fixed in 4.6.5.

ESA-2017-16 Kibana versions prior to 5.5.2 had a cross-site scripting (XSS)
vulnerability in the markdown parser that could allow an attacker to obtain
sensitive information from or perform destructive actions on behalf of other
Kibana users. Fixed in 4.6.5.

CVE-2017-11479, ESA-2017-20 Kibana versions prior to 5.6.1 had a
cross-site scripting (XSS) vulnerability in Timelion that could allow an
attacker to obtain sensitive information from or perform destructive actions on
behalf of other Kibana users. Fixed in 5.6.1, backport to 4.6.x might be needed.

CVE-2017-11481, ESA-2017-22 Kibana versions prior to 6.0.1 and 5.6.5 had a
cross-site scripting (XSS) vulnerability via URL fields that could allow an
attacker to obtain sensitive information from or perform destructive actions on
behalf of other Kibana users. Fixed in 5.6.5, backport to 4.6.x might be needed.

CVE-2019-10744, ESA-2019-10 A prototype pollution flaw exists in lodash, a
component used by Kibana. An attacker with access to Kibana may be able to use
this lodash flaw to unexpectedly modify internal Kibana data. We may be
affected, but it may not be worth the - likely considerable - effort of
backporting since according to the advisory, "No exploitable vectors in Kibana
have been identified at the time of publishing.".

Comment 3 Johannes Grassler 2021-01-22 17:30:45 UTC

Alright, I've got packages with Kibana 4.6.6 (fixes 
CVE-2017-11499/ESA-2017-14 and ESA-2017-16) and an additional patch for 
CVE-2017-11481, ESA-2017-22 now:

https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Newton/kibana
https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Pike/kibana
https://build.opensuse.org/package/show/home:jgrassler:branches:Cloud:OpenStack:Rocky/kibana

Strictly unofficial (they still need to pass CI/QA), but for me they worked for Cloud 7, Cloud 8, Cloud 9.

I did not patch the following two:

* CVE-2017-11479, ESA-2017-20: turns out this one does not apply to us since we do not ship timelion.
* CVE-2019-10744, ESA-2019-10: between upstream stating "No exploitable vectors in Kibana have been identified at the time of publishing." and a lodash update making massive changes to the original upstream tarball, I opted against updating lodash.


Update procedure
================

Kibana updates are a bit involved since they need configuration management intervention (the package update alone will leave Kibana in a broken state). You will have to force that intervention, but the procedure differs depending on Cloud version.

Cloud 7 / Cloud 8 Crowbar:

1) Update the Kibana package on the monasca-server node.
2) Delete /opt/monasca-installer/.installed on the Crowbar admin node.
3) Apply the Monasca barclamp.

Cloud 9 Crowbar:

1) Update the Kibana package on the monasca-server node.
2) Uninstall monasca-kibana-plugin on the monasca-server node.
3) Apply the Monasca barclamp.

Comment 4 Johannes Grassler 2021-02-23 18:20:59 UTC

Alright, I've debugged the problem now and it's down to ownership on files in /opt/kibana/optimize/ getting changed to root:root by the package upgrade. The problem is fixable in the spec, but the spec needs a little more attention still: right now it does not restart the service - I'll look into that tomorrow. Once I've got that fixed as well I'll submit the updated Kibana packages for all 3 cloud versions. Changes to configuration management will _not_ be needed.

Comment 5 Johannes Grassler 2021-03-10 12:59:03 UTC

Requests created:

https://build.opensuse.org/request/show/878170 (Cloud 7 / Openstack Newton)
https://build.opensuse.org/request/show/878171 (Cloud 8 / Openstack Pike)
https://build.opensuse.org/request/show/878172 (Cloud 9 / Openstack Rocky)

These solve the permission issue but _not_ the service restart issue. That will happen only upon the _next_ Kibana update (should that ever come to pass). I'll create and additional crowbar-openstack pull request to handle service restart for this one.

Comment 7 Johannes Grassler 2021-04-12 12:53:34 UTC

The last Crowbar pull requests (https://github.com/crowbar/crowbar-openstack/pull/2439 and https://github.com/crowbar/crowbar-openstack/pull/2438 ) have landed now, but Kibana refuses to start in new Cloud 9 deployments. Currently investigating...

Comment 8 Johannes Grassler 2021-04-13 14:42:43 UTC

Problem fixed: the previous set of requests accidentally removed /etc/sysconfig/kibana which prevented the service from starting in green fields deployments. Deployments with Kibana 4.6.3 already installed previously would not have been affected. These requests fix the problem (already tested and found to be working):

https://build.opensuse.org/request/show/885043 (Cloud 7)
https://build.opensuse.org/request/show/885044 (Cloud 8)
https://build.opensuse.org/request/show/885046 (Cloud 9)

Comment 11 Swamp Workflow Management 2021-06-11 16:20:06 UTC

SUSE-SU-2021:1963-1: An update that fixes 10 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1044849,1179805,1181379,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2019-25025,CVE-2020-29651,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-3281,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-11435
Sources used:
SUSE OpenStack Cloud 7 (src):    crowbar-openstack-4.0+git.1616146720.44daffca0-9.81.2, grafana-6.7.4-1.24.2, kibana-4.6.6-9.2, monasca-installer-20180608_12.47-16.2, python-Django-1.8.19-3.29.1, python-py-1.8.1-11.16.2, rubygem-activerecord-session_store-0.1.2-3.4.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Swamp Workflow Management 2021-06-11 16:26:01 UTC

SUSE-SU-2021:1962-1: An update that fixes 23 vulnerabilities, contains two features is now available.

Category: security (moderate)
Bug References: 1044849,1048688,1115960,1148383,1170657,1171909,1172409,1172450,1174583,1178243,1179805,1181277,1181278,1181689,1181690,1182317,1182433,1183174,1183803,1184148,1185623,1186608,1186611
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2018-18623,CVE-2018-18624,CVE-2018-18625,CVE-2018-19039,CVE-2019-15043,CVE-2019-25025,CVE-2020-10743,CVE-2020-11110,CVE-2020-12052,CVE-2020-13379,CVE-2020-17516,CVE-2020-24303,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: SOC-10357,SOC-11453
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    cassandra-3.11.10-3.3.3, crowbar-openstack-6.0+git.1616146717.a89ae0f4e-3.34.4, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, rubygem-activerecord-session_store-0.1.2-4.3.2
SUSE OpenStack Cloud 9 (src):    ardana-neutron-9.0+git.1615223676.777f0b3-3.25.2, ardana-swift-9.0+git.1618235096.90974ed-3.10.2, cassandra-3.11.10-3.3.3, grafana-6.7.4-3.23.2, kibana-4.6.6-4.9.2, openstack-dashboard-14.1.1~dev11-3.24.6, openstack-ironic-11.1.5~dev17-3.25.5, openstack-neutron-13.0.8~dev164-3.37.4, openstack-neutron-gbp-12.0.1~dev29-3.25.3, openstack-nova-18.3.1~dev82-3.37.6, python-Django1-1.11.29-3.25.1, python-elementpath-1.3.1-1.3.2, python-py-1.5.4-3.3.2, python-pysaml2-4.5.0-4.6.2, python-xmlschema-1.0.18-1.3.2, venv-openstack-barbican-7.0.1~dev24-3.23.1, venv-openstack-cinder-13.0.10~dev20-3.26.1, venv-openstack-designate-7.0.2~dev2-3.23.1, venv-openstack-glance-17.0.1~dev30-3.21.1, venv-openstack-heat-11.0.4~dev4-3.23.1, venv-openstack-horizon-14.1.1~dev11-4.27.3, venv-openstack-ironic-11.1.5~dev17-4.21.2, venv-openstack-keystone-14.2.1~dev4-3.24.3, venv-openstack-magnum-7.2.1~dev1-4.23.1, venv-openstack-manila-7.4.2~dev60-3.29.1, venv-openstack-monasca-2.7.1~dev10-3.21.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.23.2, venv-openstack-neutron-13.0.8~dev164-6.27.3, venv-openstack-nova-18.3.1~dev82-3.27.3, venv-openstack-octavia-3.2.3~dev7-4.23.1, venv-openstack-sahara-9.0.2~dev15-3.23.1, venv-openstack-swift-2.19.2~dev48-2.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2021-07-28 19:20:20 UTC

SUSE-SU-2021:2554-1: An update that solves 16 vulnerabilities, contains 10 features and has 8 fixes is now available.

Category: security (moderate)
Bug References: 1019074,1044849,1057496,1073879,1113302,1123064,1143893,1166139,1176784,1179805,1180507,1181277,1181278,1181689,1181828,1182433,1183174,1183803,1184148,1185623,1185836,1186608,1186611,940812
CVE References: CVE-2017-11481,CVE-2017-11499,CVE-2017-5929,CVE-2019-25025,CVE-2020-17516,CVE-2020-26247,CVE-2020-29651,CVE-2021-21238,CVE-2021-21239,CVE-2021-21419,CVE-2021-23336,CVE-2021-27358,CVE-2021-28658,CVE-2021-31542,CVE-2021-33203,CVE-2021-33571
JIRA References: ECO-3105,PM-2352,SCRD-8523,SOC-11422,SOC-11470,SOC-11471,SOC-11521,SOC-11523,SOC-11525,SOC-9876
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    cassandra-3.11.10-5.3.5, crowbar-core-5.0+git.1622489449.a8e60e238-3.50.4, crowbar-openstack-5.0+git.1616001417.67fd9c2a1-4.52.5, documentation-suse-openstack-cloud-deployment-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, rubygem-activerecord-session_store-0.1.2-3.3.2
SUSE OpenStack Cloud 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-suse-openstack-cloud-installation-8.20210512-1.32.5, documentation-suse-openstack-cloud-operations-8.20210512-1.32.5, documentation-suse-openstack-cloud-opsconsole-8.20210512-1.32.5, documentation-suse-openstack-cloud-planning-8.20210512-1.32.5, documentation-suse-openstack-cloud-security-8.20210512-1.32.5, documentation-suse-openstack-cloud-supplement-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-admin-8.20210512-1.32.5, documentation-suse-openstack-cloud-upstream-user-8.20210512-1.32.5, documentation-suse-openstack-cloud-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-12.0.5~dev6-14.36.6, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3
HPE Helion Openstack 8 (src):    ardana-cobbler-8.0+git.1614096566.e8c2b27-3.44.3, cassandra-3.11.10-5.3.5, documentation-hpe-helion-openstack-installation-8.20210512-1.32.5, documentation-hpe-helion-openstack-operations-8.20210512-1.32.5, documentation-hpe-helion-openstack-opsconsole-8.20210512-1.32.5, documentation-hpe-helion-openstack-planning-8.20210512-1.32.5, documentation-hpe-helion-openstack-security-8.20210512-1.32.5, documentation-hpe-helion-openstack-user-8.20210512-1.32.5, grafana-6.7.4-4.18.2, kibana-4.6.6-3.9.2, openstack-heat-templates-0.0.0+git.1623056900.7917e18-3.21.3, openstack-monasca-installer-20190923_16.32-3.18.2, openstack-nova-16.1.9~dev92-3.48.5, openstack-nova-doc-16.1.9~dev92-3.48.5, python-Django-1.11.29-3.25.3, python-elementpath-1.3.1-1.3.2, python-eventlet-0.20.0-6.3.3, python-py-1.4.34-3.3.3, python-pysaml2-4.0.2-5.9.2, python-xmlschema-1.0.18-1.3.3, venv-openstack-aodh-5.1.1~dev7-12.32.3, venv-openstack-barbican-5.0.2~dev3-12.33.3, venv-openstack-ceilometer-9.0.8~dev7-12.30.3, venv-openstack-cinder-11.2.3~dev29-14.34.2, venv-openstack-designate-5.0.3~dev7-12.31.3, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.28.3, venv-openstack-glance-15.0.3~dev3-12.31.3, venv-openstack-heat-9.0.8~dev22-12.33.2, venv-openstack-horizon-hpe-12.0.5~dev6-14.36.3, venv-openstack-ironic-9.1.8~dev8-12.33.3, venv-openstack-keystone-12.0.4~dev11-11.35.3, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.32.2, venv-openstack-manila-5.1.1~dev5-12.37.3, venv-openstack-monasca-2.2.2~dev1-11.28.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.28.3, venv-openstack-murano-4.0.2~dev2-12.28.3, venv-openstack-neutron-11.0.9~dev69-13.38.3, venv-openstack-nova-16.1.9~dev92-11.36.3, venv-openstack-octavia-1.0.6~dev3-12.33.3, venv-openstack-sahara-7.0.5~dev4-11.32.3, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.23.3, venv-openstack-trove-8.0.2~dev2-11.32.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.