Important: Elastic Stack security update
Type/Severity
NetEye Product Security has rated this update as having a high security impact.
Topic
An update for the elastic stack packages are now available for NetEye 4, with a special focus on Kibana and Logstash.
Security Fix for NetEye 4.47
- elastic-agent-9.3.3_neteye3.91.9-1
- elastic-agent-autosetup-9.3.3_neteye3.91.9-1
- elastic-agent-neteye-config-9.3.3_neteye3.91.9-1
- elastic-stack-configurator-9.3.3_neteye3.91.9-1
- elasticsearch-9.3.3_neteye3.91.9-1
- elasticsearch-autosetup-9.3.3_neteye3.91.9-1
- elasticsearch-neteye-config-9.3.3_neteye3.91.9-1
- elasticsearch-xpack-license-9.3.3_neteye3.91.9-1
- filebeat-9.3.3_neteye3.91.9-1
- filebeat-autosetup-9.3.3_neteye3.91.9-1
- filebeat-neteye-config-9.3.3_neteye3.91.9-1
- kibana-9.3.3_neteye3.91.9-1
- kibana-autosetup-9.3.3_neteye3.91.9-1
- kibana-neteye-config-9.3.3_neteye3.91.9-1
- logstash-9.3.3_neteye3.91.9-1
- logstash-autosetup-9.3.3_neteye3.91.9-1
- logstash-neteye-config-9.3.3_neteye3.91.9-1
- logstash-neteye-config-autosetup-9.3.3_neteye3.91.9-1
Summary
There are several patched vulnerabilities:
- Information disclosure through a Server Side Request Forgery (SSRF) in the Workflow application – Kibana
Affected versions: NetEye 4.47
CVSSv3.1: Medium ( 6.8 ) – CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N - Uncontrolled Resource Consumption leading to DoS through the automatic import plugin (if enabled) – Kibana
Affected versions: from NetEye 4.38 onwards
CVSSv3.1: Medium ( 6.5 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - Cross-space information Disclosure in Fleet through an internal endpoint – Kibana
Affected versions: from NetEye 4.31 onwards
CVSSv3.1: Medium ( 4.3 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Information Disclosure in Fleet via Privilege Abuse – Kibana
Affected versions: from NetEye 4.31 onwards
CVSSv3.1: High ( 7.7 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N - Improper Limitation of a Pathname leading to Arbitrary File Write and potentially Remote Code Execution, under certain conditions – Logstash
Affected versions: from NetEye 4.31 onwards
CVSSv3.1: High ( 8.1 ) – CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - Read of data beyond RBAC privileges using Fleet plugin debug route handlers – Kibana
Affected versions: from NetEye 4.31 onwards
CVSSv3.1: High ( 7.7 ) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section in the User Guide.
For more information about the patched vulnerabilities, please consult the single official references reported below.
References
- https://neteye.guide/current/security-policy/bugfix-policy.html#severity-levels
- https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812
- https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816
- https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-21/385811
Davide Sbetti
Hi! I'm Davide and I'm a Software Developer with the R&D Team in the "IT System & Service Management Solutions" group here at Würth IT Italy. IT has been a passion for me ever since I was a child, and so the direction of my studies was...never in any doubt! Lately, my interests have focused in particular on data science techniques and the training of machine learning models.
Author
Latest posts by Davide Sbetti
30. 03. 2026
APM, Log Management, Log-SIEM, NetEye
Sending OTel Data to Elasticsearch: Tenant Segregation through OAuth