Security Issue¶
Please send security vulnerability reports to the Help Desk.
Submitting an Issue¶
When we receive an issue we will evaluate it and, if we agree it is a vulnerability, we'll work to fix it or propose a remediation that matches the severity.
Embedded COTS¶
| Product name | CRAIG 5.1.0 | CRAIG 5.1.1 | CRAIG 5.1.2 | CRAIG 5.2.0 | CRAIG 5.3.0 |
|---|---|---|---|---|---|
| Kafka | 2.11-1.1.0 | 2.11-1.1.0 | 2.11-1.1.0 | 2.11-1.1.0 | 2.11-1.1.0 |
| Spark | 2.3.2 | 2.3.2 | 2.4.0 | 2.4.0 | 2.4.0 |
| Storm | 1.1.1 | 1.1.3 | 1.1.3 | 1.2.2 | 1.2.2 |
| Zookeeper | 3.4.10 | 3.4.10 | 3.4.10 | 3.4.10 | 3.5.5 |
| Ceph | 12.2.6 | 12.2.6 | 12.2.6 | 12.2.6 | 13.2.5 |
| APM | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Auditbeat | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Cephbeat | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | - |
| Elasticsearch | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Filebeat | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Kibana | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Logstash | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Metricbeat | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| Packetbeat | 6.4.0 | 6.4.0 | 6.5.4 | 6.5.4 | 6.7.1 |
| ModSecurity | 2.9.0 | 2.9.0 | 2.9.0 | 2.9.0 | 2.9.0 |
Third-party libraries¶
Third-party libraries requiring interest.
| Product name | CRAIG 5.1.0 | CRAIG 5.1.1 | CRAIG 5.1.2 | CRAIG 5.2.0 | CRAIG 5.3.0 |
|---|---|---|---|---|---|
| siddhi-core | 3.1.3 | 3.1.3 | 4.3.17 | 4.3.17 | 4.3.17 |
Severity Levels¶
Punchplatform security advisories include a severity level. This severity level is based on our self-appreciation for each specific vulnerability for the Punchplatform product.
- Critical
- High
- Medium
- Low
Severity Level: Critical¶
Vulnerabilities that score in the critical range usually have most of the following characteristics:
-
Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
-
Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials.
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place.
For example, a mitigating factor could be if your installation is not accessible from the Internet.
Severity Level: High¶
Vulnerabilities that score in the high range usually have some of the following characteristics:
- The vulnerability is difficult to exploit.
- Exploitation could result in elevated privileges.
- Exploitation could result in a significant data loss or downtime.
Severity Level: Medium¶
Vulnerabilities that score in the medium range usually have some of the following characteristics:
- Vulnerabilities where exploitation provides only very limited access.
- Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low¶
Vulnerabilities in the low range typically have very little impact on an platform's business. Exploitation of such vulnerabilities usually requires local or physical system access.
Announced Vulnerabilities¶
| Security Advisory | Date | Level | Component | Affects | Vulnerability summary | Mitigation |
|---|---|---|---|---|---|---|
| CVE-2019-0201 | 2019-02-19 | Low | Kibana | 5.1.0, 5.1.1, 5.1.2, 5.2.0 | Information disclosure vulnerability in Apache ZooKeeper. | Use an authentication method other than Digest (e.g. Kerberos) or upgrade to 3.4.14 or later |
| CVE-2019-7609 | 2019-02-19 | Low | Kibana | 5.1.0, 5.1.1, 5.1.2 | Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. | Disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file |
| CVE-2019-7610 | 2019-02-19 | Low | Kibana | 5.1.0, 5.1.1, 5.1.2 | If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. | If you use X-Pack, set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. |
| CVE-2019-7612 | 2019-02-19 | Low | Logstash | 5.1.0, 5.1.1, 5.1.2 | If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message. | No particular action. |
| CVE-2019-7611 | 2019-02-19 | Low | Elasticsearch | 5.1.0, 5.1.1, 5.1.2 | A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above. | If you use X-Pack, change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true. |
| CVE-2018-17246 | 2018-11-06 | Low | Kibana | 5.1.0, 5.1.1 | Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. | Upgrade to Elastic Stack version 6.4.3. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file. |
| CVE-2018-17244 | 2018-11-06 | Low | Elasticsearch | 5.1.0, 5.1.1 | Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. | Upgrade to Elasticsearch version 6.4.3. or setting the realm’s cache.ttl option to 0 will prevent caching any user data. |
| CVE-2018-3830 | 2018-09-18 | Low | Elasticsearch | 5.1.0, 5.1.1 | Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information. | Upgrade to Elasticsearch version 6.4.1 |
| CVE-2018-8008 | 2018-03-09 | Low | Storm | 5.1.0 | Apache Storm [...] and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, the final path ends up outside of the target folder. | Upgrade to 1.1.3 |
| CVE-2018-1332 | 2017-12-07 | Low | Storm | 5.1.0 | Apache Storm [...] and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons. | Upgrade to 1.1.3 |
| CVE-2018-1331 | 2017-12-07 | Low | Storm | 5.1.0 | Apache Storm [...] 1.1.0 through 1.1.2, [...], an attacker with access to a secure storm cluster in some cases could execute arbitrary code as a different user. | Upgrade to 1.1.3 |
How to upgrade¶
In the case of updating a component of the platform, the guides below let you apply the corrections in function of the type of component to be updated.
-
How to patch a COTS component like Storm, Spark, Kafka or Zookeeper.
-
How to patch a Punch Jar component like punchplatform-operator, punchplatform-shiva...
Upgrade an Elastic component
Because Elasticsearch, Kibana, Logstash and the Elastic Beats are dependent on each other for the same versions. Applying a patch on one of the components may cause the other components to update.
- How to patch an Elastic component like Elasticsearch, Kibana, Metricbeat, Filebeat, Auditbeat, Logstash.
- How to patch Kibana for security reason
- How to switch of Elasticsearh version with the deployer