27 June 2017 Releases

Kibana 5.4.3 released

By Jim Goodwin

The 5.4.3 release contains an important security fix in X-Pack Security. Please read the details below.

Download Kibana

Kibana 5.4.3 Release Notes

Security Fixes in X-Pack 5.4.3

ESA-2017-11

 

Summary

In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.


Solution

We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability.  Kibana users concerned with this issue should upgrade to version 5.4.3 or later.


Other Fixes and Enhancements in 5.4.3

Enhancements

  • [licenses] Bump ua-parser-js override #12474

Bug fixes

  • [Fix for #10328] vislib container too small error message #11951
  • [Fix for https://github.com/elastic/kibana/issues/8341] Ensure no scroll-bar pops up inside timelion viz #12298
  • [Fix for #11954] removing old point series defaults #11958