Elastic has recently identified that the Kibana reporting feature used to generate PDF reports unintentionally transmits user authentication credentials (i.e., Kibana username and password in reversible hashed format) in the HTTP headers used to request data from external resources whose data may be incorporated into the report.
Background. User credentials are encrypted at rest by Kibana and are intended for use to authenticate to an Elasticsearch server to generate reports but are not intended to be transmitted to external resources. However, in this case, the HTTP headers used to request data from external resources in connection with the Kibana PDF reporting feature also included user credentials. The types of external resources or services that may be reported in Kibana include web proxies, Kibana URL field formatters, Timelion visualizations, markdown, Vega visualizations and mapping services.
To address this issue we have released ESA-2018-17 (CVE-2018-17245), Elastic Stack versions 5.6.13 and 6.4.3 contain fixes for this issue.
Affected Users. This issue affects Kibana users on versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 of the Elastic Stack for both self-managed and hosted deployments. It affects users who have used Kibana’s PDF reporting feature to include data from external resources. It is not triggered by requests to generate CSV reports.
Recommend Changing User Credentials. While requests to some of the external resources may have been conducted via HTTPS using encryption, there can be no assurance that all requests were encrypted and, in any event, the credential would have been exposed to external resource provider following receipt of such request. We note that we are not aware of any unauthorized use or access associated with any of the affected user credentials. Nevertheless, consistent with security best practices and as a precautionary measure, we recommend that all affected users change affected credentials.
If you are an affected Kibana user (i.e., (i) you have used Kibana’s PDF reporting feature to include data from external resources) and (ii) you are on one of the affected versions described above then you should consider changing your credential as described in our blog post.