Search Guard Kibana Plugin 6.x-12

Release Date: 12.04.2018

Critical security fixes

See also: Search Guard Security Issues

SISG 9

  • A Kibana user could impersonate as kibanaserver user when providing wrong credentials
  • Conditions:
    • Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate
    • The kibanaserver user is configured to use HTTP Basic as the authentication method
    • Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time
  • Reported by Guy Moller
  • Affected: Kibana Plugin >= 5.2.x and Kibana plugin 6.x
  • Fixed with: Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12

SISG 8

  • Redirect and XSS vulnerability in Kibana plugin
    • An attacker can redirect the user to a potentially malicious site upon Kibana login
  • Reported by Vineet Kumar
  • Affected: Kibana plugin 5.x and 6.x
  • Fixed with: Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12

Fixes

  • Fixed redirect-after-login when basePath is set
  • Fixed license warning when using the Search Guard Community Edition