CVE-2024-37287: 
Kibana vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-37287) was discovered in Kibana, affecting versions prior to 8.14.2 (8.x) and versions from 7.7.0 prior to 7.17.23 (7.x). The vulnerability allows arbitrary code execution through a prototype pollution vulnerability when an attacker has access to ML and Alerting connector features, as well as write access to internal ML indices. The vulnerability was disclosed on August 8, 2024, and received a CVSS score of 9.1 (Critical) (Elastic Discussion, ASEC Report).

The vulnerability stems from prototype tainting flaws in Kibana's ML and Alerting connector. The exploitation requires specific privileges: write access to the .ml-anomalies* hidden indices, read access to the Machine Learning feature, and read access to the Actions & Connectors feature. The vulnerability has been classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) and CWE-94 (Improper Control of Generation of Code). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility with high privileges required (NVD, Elastic Discussion).

The vulnerability affects various Kibana deployment scenarios, including self-managed installations, Docker images, Elastic Cloud, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK). While containerized environments limit code execution within containers through seccomp-bpf and AppArmor profiles, self-managed Kibana installations on host Operating Systems are at highest risk. At the time of disclosure, approximately 5,183 exposed devices were observed online (Censys Report, Elastic Discussion).

Elastic has released security updates to address this vulnerability. Users should upgrade to Kibana versions 8.14.2 or 7.17.23. For users unable to upgrade immediately, several mitigations are available: ensuring proper Elasticsearch and Kibana user privileges, disabling Connector Actions, and disabling ML capabilities. Additionally, administrators should verify that users have not been granted Elasticsearch index privileges to write ML result indices (.ml-anomalies*) (Elastic Discussion).