[Discuss] Workaround for Kibana Reporting Vulnerability ESA-2018-17 (CVE-2018-17245)

[ypid-geberit]

I would like to propose a workaround to mitigate CVE-2018-17245 which:

• Does not require a Kibana (and in turn also Elasticsearch) upgrade.
• Does not require to disable reporting altogether using xpack.reporting.enabled.

It works by blocking outgoing connections from the Kibana user to the Internet on the server where Kibana is running. Example iptables script:

iptables -F OUTPUT
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
iptables -A OUTPUT ! -d 10.0.0.0/8 -m owner --uid-owner kibana -j REJECT

ip6tables -F OUTPUT
ip6tables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -m limit --limit 5/min -j LOG --log-prefix "Kibana security workaround: " --log-level 7
ip6tables -A OUTPUT ! -d fd95:9d43:c67b:3d75::/64 -m owner --uid-owner kibana -j REJECT

Feel free to give feedback on this. Note that I already posted this in the forum and was redirected here.

Ref: https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability
Ref: #24177
Ref: https://discuss.elastic.co/t/workaround-for-kibana-reporting-vulnerability-esa-2018-17-cve-2018-17245/156078

[kobelb]

Thanks for submitting this workaround @ypid-geberit. I'm closing out this issue as a majority of users have been able to upgrade their Kibana to mitigate the vulnerability so we didn't need to rely on this work-around.