7.17.23, 8.14.2
CVE-2024-37287 describes a critical remote code execution (RCE) vulnerability discovered in Kibana. This flaw allows an attacker with specific privileges to execute arbitrary code on the Kibana server. The vulnerability affects Kibana versions 7.7.0 through 7.17.23 and 8.14.2. A fix has been released, requiring users to upgrade to a patched version.
The impact of CVE-2024-37287 is severe. A successful exploit allows an attacker to execute arbitrary code within the Kibana environment, potentially gaining complete control over the server. This could lead to data breaches, system compromise, and further lateral movement within the network. The vulnerability hinges on access to Kibana's ML and Alerting connector features, combined with write access to internal ML indices, making it particularly concerning for organizations heavily utilizing these features. The prototype pollution mechanism, while complex, provides a reliable attack vector once these prerequisites are met. This vulnerability shares similarities with other prototype pollution attacks, highlighting the importance of secure coding practices in JavaScript-based applications.
CVE-2024-37287 was publicly disclosed on August 13, 2024. The vulnerability's complexity might initially limit widespread exploitation, but the availability of a public proof-of-concept could accelerate adoption by malicious actors. The EPSS score is likely to be assessed as medium to high, given the critical CVSS score and potential for significant impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Kibana instances.
Organizations heavily reliant on Kibana's ML and Alerting connector features are at the highest risk. This includes security operations centers (SOCs) using Kibana for threat detection and incident response, and businesses leveraging Kibana for data visualization and analytics. Environments with misconfigured permissions granting write access to internal ML indices are particularly vulnerable.
• nodejs / server: Monitor Kibana logs for errors or unusual activity related to ML and Alerting connectors. Look for patterns indicative of prototype pollution attempts.
journalctl -u kibana -f | grep -i 'prototype pollution'• generic web: Check Kibana endpoints for unexpected behavior or responses. Use curl to probe for potential vulnerabilities.
curl -v http://kibana_host/api/ml/connectors• wordpress / composer / npm: (Not applicable, Kibana is not a WordPress plugin) • database (mysql, redis, mongodb, postgresql): (Not applicable, Kibana does not directly interact with these databases in a vulnerable way)
disclosure
patch
エクスプロイト状況
EPSS
0.85% (75% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-37287 is to upgrade Kibana to a patched version. Elastic has released versions 7.17.23 and 8.14.2 that address this vulnerability. If immediate upgrade is not feasible, consider implementing temporary workarounds. Restricting access to the ML and Alerting connector features, and limiting write access to internal ML indices, can significantly reduce the attack surface. While not a complete fix, this can buy time until a full upgrade can be performed. Monitor Kibana logs for any unusual activity related to ML or Alerting connectors. Consider implementing a Web Application Firewall (WAF) with rules to detect and block prototype pollution attempts. After upgrading, confirm the fix by attempting to trigger the vulnerability using known exploitation techniques and verifying that the code execution is prevented.
Kibana をバージョン 7.17.23 または 8.14.2 以降にアップデートしてください。これらのバージョンには、プロトタイプ汚染の脆弱性に対する修正が含まれています。アップデートすることで、任意のコード実行のリスクを軽減できます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-37287 is a critical remote code execution vulnerability in Kibana versions 7.7.0–7.17.23 and 8.14.2, allowing attackers to execute arbitrary code with proper access.
If you are running Kibana versions 7.7.0 through 7.17.23 or 8.14.2 and have users with access to ML and Alerting connectors and write access to internal ML indices, you are potentially affected.
Upgrade Kibana to version 7.17.23 or 8.14.2. As a temporary workaround, restrict access to ML/Alerting connectors and limit write access to internal ML indices.
While active exploitation is not yet confirmed, the vulnerability's severity and public disclosure increase the likelihood of exploitation. Monitor threat intelligence feeds for updates.
Refer to the Elastic Security blog post detailing the vulnerability: https://www.elastic.co/blog/security-update-cve-202437287