Summary: Elastic has issued a critical security advisory for its Kibana platform, urging users to update to version 8.15.1 due to two severe vulnerabilities that could allow attackers to execute arbitrary code. The vulnerabilities, CVE-2024-37288 and CVE-2024-37285, pose significant risks, particularly for users with specific configurations and privileges.
Threat Actor: Unknown | unknown
Victim: Elastic | Elastic
Key Point :
- Two critical vulnerabilities in Kibana could lead to arbitrary code execution.
- CVE-2024-37288 involves a YAML deserialization flaw in the Amazon Bedrock Connector, while CVE-2024-37285 affects a broader range of users.
- Elastic recommends upgrading to version 8.15.1 to mitigate these risks.
- Users unable to upgrade can temporarily disable the integration assistant as a mitigation strategy.
Elastic, the company behind the popular open-source data visualization and analytics platform Kibana, has issued a critical security advisory urging users to update immediately to version 8.15.1. Two severe vulnerabilities, tracked as CVE-2024-37288 and CVE-2024-37285, could allow attackers to execute arbitrary code on affected systems, potentially leading to complete system compromise.
- CVE-2024-37288: YAML Deserialization Flaw in Amazon Bedrock Connector
The first vulnerability, rated with a CVSS score of 9.9 (critical), stems from a deserialization issue in Kibana’s Amazon Bedrock Connector. Attackers can exploit this flaw by crafting malicious YAML payloads, leading to remote code execution. Users who have configured an Amazon Bedrock connector within Elastic Security’s built-in AI tools are particularly vulnerable.
- CVE-2024-37285: Widespread YAML Deserialization Vulnerability
The second vulnerability, also related to YAML deserialization, affects a broader range of Kibana users. With a CVSS score of 9.1 (critical), it allows attackers to execute arbitrary code if they possess specific Elasticsearch indices privileges and Kibana privileges. To successfully exploit this vulnerability, a malicious actor must have a combination of specific Elasticsearch indices privileges and Kibana privileges.
The attacker needs write access to the system indices (.kibana_ingest)* and the ability to manage restricted indices. They must also have certain Kibana privileges under Fleet (All) and Integration (Read or All), and gain access to the fleet-setup privilege via the Fleet Server’s service account token.
Given the complexity of the attack, it requires both access control misconfigurations and insider threats to succeed.
To address both vulnerabilities, Elastic advises the following actions:
- Upgrade to Kibana version 8.15.1: This is the most effective solution and patches both CVE-2024-37288 and CVE-2024-37285.
- Temporary Mitigation for CVE-2024-37288: Users unable to upgrade immediately can mitigate the risk by disabling the integration assistant: