CVE-2024-37287 (CVSS 9.9): Urgent Kibana Patch for Severe Security Vulnerability

by do son · August 6, 2024

The Elastic Team has announced a critical security update for Kibana, their popular open-source data visualization and exploration tool. This update addresses a severe vulnerability, CVE-2024-37287, which carries a CVSS score of 9.9. The flaw, discovered in Kibana, could allow arbitrary code execution through a prototype pollution vulnerability, posing significant risks to self-managed and cloud-based instances of Kibana.

Kibana, developed by Elastic, is a powerful tool for analyzing and visualizing data stored in Elasticsearch. It offers a user-friendly interface with a variety of visualization options, including histograms, line graphs, pie charts, and maps. Kibana enables users to create detailed dashboards, and presentations using Canvas, and leverage machine learning capabilities to gain valuable insights from their data.

The security flaw, identified as CVE-2024-37287, arises from a prototype pollution vulnerability that can lead to arbitrary code execution. This vulnerability can be exploited by an attacker with access to ML and Alerting connector features, as well as write access to internal ML indices. The potential impact of this flaw is significant, allowing attackers to execute arbitrary code within affected Kibana instances.

The vulnerability impacts various Kibana deployment scenarios, including self-managed installations, Docker images, Elastic Cloud, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK). While certain environments limit code execution within containers, the risk of exploitation remains significant.

Kibana users running versions prior to 8.14.2 (8.x) or 7.17.23 (7.x) are at risk and should take immediate action.

The Elastic team has released security updates addressing this vulnerability. Users are strongly advised to upgrade to Kibana versions 8.14.2 or 7.17.23 as soon as possible. These updates include patches that effectively mitigate the risk of arbitrary code execution.