NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Kibana 6.8.9
editKibana 6.8.9
editSecurity updates
edit-
In 6.7.0 to 6.8.8, the Upgrade Assistant contains a prototype pollution flaw. An authenticated attacker with privileges to write to the Kibana index can insert data that could cause Kibana to execute arbitrary code. This could lead to an attacker executing code with the permissions of the Kibana process on the host system, CVE-2020-7012.
By default, the Upgrade Assistant flaw is mitigated in all Kibana instances accessed through Elasticsearch Service.
For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, disable the Upgrade Assistant in your kibana.yml file:
-
In 6.7.0 and 6.7.1, set
upgrade_assistant.enabled:false
-
In 6.7.2 and later, set
xpack.upgrade_assistant_enabled:false
-
In 6.7.0 and 6.7.1, set
-
In 6.8.9 and earlier, TSVB contains a prototype pollution flaw. Authenticated attackers with privileges to create TSVB visualizations can insert data that could cause Kibana to execute arbitrary code. This could lead to an attacker executing code with the permissions of the Kibana process on the host system, CVE-2020-7013.
By default, the Upgrade Assistant flaw is mitigated in all Kibana instances accessed through Elasticsearch Service.
For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, set
metrics.enabled:false
in your kibana.yml file to disable TSVB.
Enhancement
edit- Security
-
-
Adds a message to the login screen #64158
This message is good for displaying information about maintenance windows, links to corporate sign up pages, and so on.
-