CVE-2024-37288 – A deserialization vulnerability in Kibana allow... (How to Fix)

Q: What is the severity of CVE-2024-37288?

CVE-2024-37288 has a CVSS score of 9.9 (CRITICAL). A deserialization vulnerability in Kibana allows arbitrary code execution when parsing malicious YAML documents. This only affects users who have enabled Elastic Security's built-in AI tools and configured an Amazon Bedrock connector. Attackers could execute code with Kibana's privileges.

📋 TL;DR

A deserialization vulnerability in Kibana allows arbitrary code execution when parsing malicious YAML documents. This only affects users who have enabled Elastic Security's built-in AI tools and configured an Amazon Bedrock connector. Attackers could execute code with Kibana's privileges.

💻 Affected Systems

Products:

Kibana

Versions: Versions using Elastic Security AI tools with Bedrock connector

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Elastic Security AI tools are enabled AND Amazon Bedrock connector is configured

📦 What is this software?

Kibana by Elastic

View all CVEs affecting Kibana →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining Kibana's privileges, potentially leading to data exfiltration, lateral movement, or ransomware deployment.

🟠

Likely Case

Unauthorized code execution within Kibana's context, allowing access to Elasticsearch data and potential privilege escalation.

🟢

If Mitigated

Limited impact due to network segmentation and proper access controls restricting Kibana's permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to Kibana interface and specific configuration

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kibana 8.15.1

Vendor Advisory: https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119

Restart Required: Yes

Instructions:

1. Download Kibana 8.15.1 from Elastic website. 2. Stop Kibana service. 3. Backup configuration and data. 4. Install updated version. 5. Restart Kibana service.

🔧 Temporary Workarounds

Disable Bedrock Connector

all

Remove or disable Amazon Bedrock connector configuration

Navigate to Kibana Security settings and disable Bedrock connector

Disable Elastic Security AI Tools

all

Turn off AI features in Elastic Security

Disable AI tools in Elastic Security configuration

🧯 If You Can't Patch

Network segmentation to isolate Kibana instances
Implement strict access controls and monitoring for Kibana

🔍 How to Verify

Check if Vulnerable:

Check if Kibana version is below 8.15.1 AND has Elastic Security AI tools enabled with Bedrock connector configured

Check Version:

curl -X GET "localhost:5601/api/status" | grep "number"

Verify Fix Applied:

Verify Kibana version is 8.15.1 or higher using version check command

📡 Detection & Monitoring

Log Indicators:

Unusual YAML parsing errors in Kibana logs
Suspicious process execution from Kibana

Network Indicators:

Unexpected outbound connections from Kibana host

SIEM Query:

source="kibana.log" AND ("YAML" OR "deserialization") AND error

📊 Metadata

CVE ID: CVE-2024-37288

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

Published: September 9, 2024

Last Updated: September 16, 2024

🔗 References

https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37288, you might also want to check these: