Today, we released Kibana 6.1.1 with a fix for a high severity security vulnerability in the Time Series Visual Builder. All administrators of Kibana 6.1.0 are urged to upgrade Kibana immediately. Versions prior to 6.1.0 are not affected.
If you had any Kibana 6.1.0 instances on Elastic Cloud, we’ve automatically upgraded them, so no further action is required.
For folks that cannot upgrade from 6.1.0 at this time, you can disable time series visual builder entirely by specifying
metrics.enabled: false in kibana.yml and restarting Kibana. Note, this will require a full “optimize” run, which can take a few minutes.
Math aggregations and remote code execution
In Kibana 6.1.0, we released a new feature for “math aggregations” in the Time Series Visual Builder which allowed users to apply mathematical operations to their TSVB results. Unfortunately, this new feature has a vulnerability that could allow an attacker to execute arbitrary code on the Kibana server.
We’ve removed the math aggregation feature in 6.1.1. Removing a feature is never something we take lightly, especially in a patch release, but the issue is severe and there isn’t a reliable way to permanently fix it. We do want to have this sort of math capability in Kibana at some point, but we need to take a more holistic view on its security before releasing it again.
There are a couple of other bug fixes in this release as well, so check out the release notes for all the details.