H-ISAC TLP White Vulnerability Bulletin: Urgent Kibana Patch for Severe Security Vulnerability

On August 6, 2024, Elasticsearch released a security update regarding a critical vulnerability discovered in its popular open-source data visualization and exploration tool, Kibana.

The vulnerability, CVE-2024-37287, has a CVSS score of 9.9 and allows arbitrary code execution through a prototype pollution security flaw. This results in significant risks to self-managed and cloud-based instances of Kibana.

Specifically, the security flaw affects Kibana versions before 8.14.2 and Kibana 7.x versions before 7.17.23.

Health-ISAC is providing this information for situational awareness. Users are strongly advised to upgrade to Kibana versions 8.14.2 or 7.17.23 as soon as possible. These updates include patches that effectively mitigate the risk of arbitrary code execution.

The Elasticsearch team discovered a security flaw in Kibana that could allow adversaries to launch arbitrary code through a prototype pollution vulnerability. An attacker with access to machine learning and alerting connector features and write access to internal machine learning indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.

A prototype pollution vulnerability occurs when an adversary can modify the prototype of an object in JavaScript, allowing them to inject arbitrary properties that are then inherited by all instances of the affected object.

The vulnerability impacts various Kibana deployment instances, including self-managed installations, Docker images, Elastic Cloud, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK). Although certain environments limit code execution within containers, protection mechanisms associated with each affected instance can prevent additional exploitation, such as container escape