Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0056
A vulnerability has been identified in Kibana
11 June 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Kibana
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2015-4093
Member content until: Saturday, July 11 2015
OVERVIEW
A vulnerability has been identified in Kibana prior to version
4.0.3. [1]
IMPACT
The vendor has provided the following details regarding this issue:
"Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a
cross-site scripting (XSS) attack. The attack allows execution of
arbitrary JavaScript in the context of the user’s browser.
We have been assigned CVE-2015-4093 for this issue." [1]
MITIGATION
The vendor recommends updating to the latest version of Kibana to
correct this issue. [1]
REFERENCES
[1] Kibana Cross-Site Scripting Vulnerability CVE-2015-4093
https://discuss.elastic.co/t/kibana-cross-site-scripting-vulnerability-cve-2015-4093/2258
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVXji9RLndAQH1ShLAQKeCRAAiihpeDTIUPRzzRVZZDQp1Oqt0Mn0Q9QZ
SO1kq31q03BKKkXyp4G5nDhdIdI3zJhT0MXVrQfPne94flvBRPchOrX4Vdkh1ntn
711WwFvN097l4goIzr8LDND6jYdBnTHwotICXSVFR0XBTKcvaNuiTx9DOc47tKl0
Dhgh+NdwZwBWdUFtI9H04ur+DCOARCfPu0q/RWjkn24LdlKpBHEfcCoT4n5kaQQ9
82oKF9oP5uXj2LVbri0ZaZoOxoe0fWN89mdCYbiZ3ncE38v+B0KOcOcL2hZBTToO
BKeVeOgPN8VsXBRD1qNzaY5crf6Q633+eWOvIIvsubW5R/mYFv9GBSSuKA6cFRzP
9jAt8HhU8TqwIVLAGw8V4IJU3Sebhku3Gg9hptkqPP6y4vgAD2dw1geEwmPtxgx5
YQcOPH1Rvh7DXzUrMGaL5u/hhasyaWJg/do8sJtS79L/yUDxhYQ1x0tsrfK3kzO3
Ar9usZDIi7RoRkFonTrnCc45JftYqBBYwpnUrJWOrXMaReY1QOxEnB8GpIVJEGD+
caqQTEUgpbpYxQLvydmpO5CzlLX6Nqes2mysUTMTFRKffTV/zYj8pQ+OySFbQBag
A+1kIU/f9oH+1pdnL6Wm8iQWPWMHOiGPUYfceu+IeTaW9j+rDXuyQFrPjW7IF/x1
XZTG1DTJ8Sg=
=fO0R
-----END PGP SIGNATURE-----