Search Guard 6.2.x-22.1 and Search Guard 6.1.x-22.2

Release Date: 27.04.2018

Features

Fixes

  • Fixed permissions in Search Guard demo roles
  • Fixed an issue where the Webhook Audit Log fails due to insufficient plugin permissions
    • (internally tracked)
  • Fixed an issue where the JWKS/OpenID module fails when the JWT does not contain a keyid
    • (internally tracked)
  • Fixed in issue in the Audit Log module where audit_request_origin is not logged for SSL Exceptions on Transport layer
    • (internally tracked)

Kibana Plugin 6.x-12

Release Date: 12.04.2018

Critical security fixes

See also: Search Guard Security Issues

SISG 9

  • A Kibana user could impersonate as kibanaserver user when providing wrong credentials
  • Conditions:
    • Kibana is configured to use Single-Sign-On as authentication method, one of Kerberos, JWT, Proxy, Client certificate
    • The kibanaserver user is configured to use HTTP Basic as the authentication method
    • Search Guard is configured to use an SSO authentication domain and HTTP Basic at the same time
  • Reported by Guy Moller
  • Affected: Kibana Plugin >= 5.2.x and Kibana plugin 6.x
  • Fixed with: Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12

SISG 8

  • Redirect and XSS vulnerability in Kibana plugin
    • An attacker can redirect the user to a potentially malicious site upon Kibana login
  • Reported by Vineet Kumar
  • Affected: Kibana plugin 5.x and 6.x
  • Fixed with: Kibana Plugin 5.6.8-7 and Kibana Plugin 6.x-12

Fixes

  • Fixed redirect-after-login when basePath is set
  • Fixed license warning when using the Search Guard Community Edition

Search Guard 6.x-22.0

Release Date: 27.03.2018

Upgrade Guide from 5.x to 6.x

Fixes

Features

Kibana Plugin 6.x-11

Fixes

Features

TLS Tool 1.2

Fixes