CVE-2023-31422
📋 TL;DR
Kibana 8.10.0 logs sensitive information like authentication credentials, cookies, and authorization headers in error logs when configured with JSON layout or %meta pattern. This vulnerability allows attackers with access to log files to steal credentials and potentially compromise Kibana instances. Only Kibana 8.10.0 is affected.
💻 Affected Systems
- Elastic Kibana
📦 What is this software?
Kibana by Elastic
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to Kibana logs and extract credentials for kibana_system, kibana-metricbeat, or end-user accounts, leading to full Kibana compromise and potential lateral movement to Elasticsearch clusters.
Likely Case
Unauthorized users with log access obtain authentication credentials and gain unauthorized access to Kibana dashboards and data.
If Mitigated
With proper log access controls and monitoring, impact is limited to potential credential exposure requiring rotation.
🎯 Exploit Status
Exploitation requires access to Kibana log files, which typically requires some level of system access or misconfiguration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kibana 8.10.1
Vendor Advisory: https://discuss.elastic.co/t/kibana-8-10-1-security-update/343287
Restart Required: Yes
Instructions:
1. Backup Kibana configuration and data. 2. Download Kibana 8.10.1 from Elastic website. 3. Stop Kibana service. 4. Replace Kibana 8.10.0 with 8.10.1. 5. Start Kibana service. 6. Verify logs no longer contain sensitive data.
🔧 Temporary Workarounds
Disable JSON logging layout
allChange Kibana logging configuration to use a different layout that doesn't include sensitive metadata.
Modify kibana.yml: logging.json.enabled: false
Restart Kibana: systemctl restart kibana
Remove %meta from pattern layout
allIf using pattern layout, remove %meta from the logging pattern configuration.
Modify kibana.yml: logging.pattern: "[%date][%level][%logger] %message"
Restart Kibana: systemctl restart kibana
🧯 If You Can't Patch
- Restrict access to Kibana log files using file permissions and access controls
- Implement log monitoring to detect access attempts and credential exposure
🔍 How to Verify
Check if Vulnerable:
Check Kibana version: grep version /usr/share/kibana/package.json or via Kibana UI. If version is 8.10.0, check logging configuration for JSON layout or %meta pattern.Check Version:
kibana --version or curl -X GET "localhost:5601/api/status"Verify Fix Applied:
After patching to 8.10.1, verify version and test error conditions to confirm sensitive data is no longer logged.📡 Detection & Monitoring
Log Indicators:
- Kibana logs containing authentication credentials, cookies, or authorization headers
- Error logs with request metadata including sensitive fields
Network Indicators:
- Unauthorized access to Kibana log files or APIs
SIEM Query:
source="kibana.log" AND ("password" OR "authorization" OR "cookie" OR "credentials")