01 June 2017 Releases

Kibana 5.4.1 and 5.3.3 released

By Jim Goodwin

The 5.4.1 and 5.3.3 releases contain important security fixes, and we recommend that you upgrade as soon as possible. Please read the details below.

Kibana instances on Elastic Cloud for previous versions of 5.4 and 5.3 will be upgraded automatically.

Security Fixes

Beginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an cross-site scripting attack (XSS) that would allow an attacker to inject JavaScript into other user’s browsers via Elasticsearch documents. This was made possible by the field formatters plugin API and how it handled compiling of template values in the discover doc table. Versions 5.3.3 and 5.4.1 include a fix for this vulnerability by changing the binding and compilation behavior for field formatters. Thanks to Thomas Gøytil for reporting this issue. ESA-2017-08 (#11911)

The time series visual builder that was released in 5.4.0 is vulnerable to a cross-site scripting attack (XSS), where a malicious user could embed HTML into markdown documents that could result in JavaScript being executed in other users' browsers. This could be abused to steal sensitive information or to perform destructive actions on behalf of other users. 5.4.1 fixes this vulnerability by no longer allowing HTML in markdown documents. ESA-2017-07 (#11770)

Download Kibana

Kibana 5.4.1 Release Notes

Kibana 5.3.3 Release Notes

Other fixes in 5.4.1

  • Upgrade makelogs to support single-type Elasticsearch 6.0 limitations #11684
  • [console] Properly check for existence of deprecated console configs #11670
  • [console] If using an https agent, set rejectUnauthorized in the agent #11700
  • Show long index pattern names in selector #11907
  • Add ignore_unmapped to geo filters to prevent exceptions #11461
  • Only use day, month, year provided by datepicker #11773
  • Report shard failures in the field_capabilities response #11450
    • The Kibana field_capabilities API will now include any shard failures in its response so that the user is notified when an error has occurred while creating an index pattern or refreshing a pattern's fields.
  • Fixed a bug that prevented the dashboard from loading if any visualizations on the dashboard could not be found #11324
    • A bug was introduced in 5.2 where if a visualization on a dashboard could not be found, it would throw an error and prevent the entire dashboard from loading. We've fixed this so the rest of your dashboard will continue to load and function properly.
  • Fixed spelling in time series visual builder #11212
  • Fixed missing icons in Visualize listing #11243
    • When we implemented the new Visualization Wizard UI, we switched from using font icons to SVG images to represent each visualization type. However, we forgot to update the Visualize landing page table to use these SVG images.
  • Fixed missing border of PaginatedTable rows in Firefox #11452
    • When we added the ability to select filters from within a table, we applied relative positioning to the table rows. This isn't supported in Firefox, and had some odd visual results.
  • Return Boom errors directly to the browser for Time Series Visual Builder #11656
  • Fixed heatmap black squares #11489
  • Fixed duplicate chart title #11594
  • Should not throw error when fitting on empty data #11620
  • Fix zoom settings #11707
  • geo_centroid should not be available as a metric #11630
  • Disable scroll zooming on the map. #11825