Kibana 6.8.9

edit

Security updates

edit
  • In 6.7.0 to 6.8.8, the Upgrade Assistant contains a prototype pollution flaw. An authenticated attacker with privileges to write to the Kibana index can insert data that could cause Kibana to execute arbitrary code. This could lead to an attacker executing code with the permissions of the Kibana process on the host system, CVE-2020-7012.

    By default, the Upgrade Assistant flaw is mitigated in all Kibana instances accessed through Elasticsearch Service.

    For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, disable the Upgrade Assistant in your kibana.yml file:

    • In 6.7.0 and 6.7.1, set upgrade_assistant.enabled:false
    • In 6.7.2 and later, set xpack.upgrade_assistant_enabled:false
  • In 6.8.9 and earlier, TSVB contains a prototype pollution flaw. Authenticated attackers with privileges to create TSVB visualizations can insert data that could cause Kibana to execute arbitrary code. This could lead to an attacker executing code with the permissions of the Kibana process on the host system, CVE-2020-7013.

    By default, the Upgrade Assistant flaw is mitigated in all Kibana instances accessed through Elasticsearch Service.

    For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, set metrics.enabled:false in your kibana.yml file to disable TSVB.

Enhancement

edit
Security
  • Adds a message to the login screen #64158

    This message is good for displaying information about maintenance windows, links to corporate sign up pages, and so on.