Bugzilla – Bug 1075545
VUL-0: CVE-2017-8440: kibana: XSS in Discover page could allow attacker to obtain sensitive information or perform user actions
Last modified: 2020-01-06 19:22:12 UTC
https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952 Elastic Stack 5.4.1 and 5.3.3 Security updates: CVE-2017-8438: X-Pack 5.4.1 privilege escalation (ESA-2017-06) Affected versions: X-Pack Security 5.0.0 to 5.4.0 is affected CVE-2017-8439: Kibana 5.4.1 Cross Site Scripting (ESA-2017-07) Affected versions: Kibana 5.4.0 is affected CVE-2017-8440: Kibana 5.4.1 and 5.3.3 Cross Site Scripting (ESA-2017-08) Affected versions: Kibana versions between 5.3.0 and 5.4.0 are affected CVE-2017-8441: X-Pack 5.4.1 and 5.3.3 improper DLS alias enforce. (ESA-2017-09) Affected versions: X-Pack Security 5.0.0 to 5.4.0 is affected This bug was opened for reference only. No SUSE product is affected by this issues. References: https://nvd.nist.gov/vuln/detail/CVE-2017-8438 https://nvd.nist.gov/vuln/detail/CVE-2017-8439 https://nvd.nist.gov/vuln/detail/CVE-2017-8440 https://nvd.nist.gov/vuln/detail/CVE-2017-8441
For tracking in Cloud Monitoring - https://jira.suse.com/browse/SOC-9979
From what I can tell, the Kibana version used in SOC 8 and 9 CLM is 4.6.3, and not related to these specified issues.