EIQ-2024-0001#
ID |
EIQ-2024-0001 |
---|---|
CVE |
CVE-2024-37287 |
Description |
Kibana < 8.14.2,7.17.23 contains arbitrary code execution flaw |
Date |
8 Aug 2024 |
Severity |
4 - CRITICAL |
CVSSv3 score |
9.9 |
Status |
⏲ IC 2.14, 3.0, 3.1, 3.2, 3.3 |
Assessment |
Elastic issued a critical security advisory ESA-2024-22, stating that the following Kibana versions are vulnerable to arbitrary code execution via prototype pollution:
For more information on the vulnerability, go to Elastic’s advisory: ESA-2024-22 The following Intelligence Center (IC) versions bundle affected versions of Kibana:
Customers using these IC versions should upgrade Elasticsearch, Kibana, and Logstash to 7.17.23 or 8.14.2 as soon as they are available. EclecticIQ will inform customers when an upgrade path is available. Meanwhile, customers can mitigate the issue by disabling the Machine Learning API in their Elasticsearch cluster. For more information, see Mitigation. |
Mitigation |
You can mitigate this issue on existing IC instances that deploy affected versions of Kibana by disabling the Elasticsearch Machine Learning API. To do this on an IC deployment:
|
Affected versions |
All IC installations using Kibana versions earlier than 8.14.2,7.17.23 |
Notes |
N/A |