My Oracle Support Banner

E-ES: Elasticsearch Vulnerabilites CVE 2019-7608, CVE 2019-7609 and CVE 2019-7610 (Doc ID 2656407.1)

Last updated on APRIL 07, 2020

Applies to:

PeopleSoft Enterprise PT PeopleTools - Version 8.57 to 8.58 [Release 8.4]
Information in this document applies to any platform.

Goal

Qn1: How to mitigate the Elasticsearch Vulnerability CVE 2019-7608?

Kibana versions before 5.6.15 and 6.6.1 have the following vulnerability:

- A cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. (CVE-2019-7608).

 Qn2: How to mitigate the Elasticsearch Vulnerability CVE 2019-7609?

Kibana versions before 5.6.15 and 6.6.1 also have the following vulnerability:

- An arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7609).

Qn3: How to mitigate the Elasticsearch Vulnerability CVE 2019-7610?

Kibana versions before 5.6.15 and 6.6.1 also have the following vulnerability:

- An arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. (CVE-2019-7610).

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.