Kibana markdown parser Cross Site Scripting (XSS) error (ESA-2017-16). Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Affected Versions: All prior to 5.5.2 and 4.6.6
Solutions and Mitigations:
Users should upgrade to Kibana version 5.5.2 or 4.6.6
Reporting impersonation error (ESA-2017-17). The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.
Affected Versions: All prior to 5.5.2 and 2.4.6
Solutions and Mitigations:
Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
CVE ID: CVE-2017-8446
- [Fix for #13365] Truncate long field names in filter editor #13379
- [Fix for #12728] Ensure conflicted fields can be searchable and/or aggregatable #13070
- [Fix for #13255] Ensure we are working with data-series to avoid tooltip errors #13266
- [Fix for #12724] by default metric should not define color #12993
[Fix for #12391] in percentage mode tooltip should also show percentages #13217
- Tooltips now correctly display the percentage-value in area charts where the Y-Axis is formatted in percentage mode.
- Use the customMetric’s formatter for pipeline aggregations #11933
[Fix for #12220] Should only fit on shapes that are part of the result #12881
- When clicking the fit-data button in a Region Map, the map now zooms correctly to the relevant data instead of showing the entire layer.
[Fix for #12172] Save layer setting in the region map UI #12956
- The layer selection is now preserved in the UI dropdown when saving a Region Map.
[Fix for #12189] Region map should respect saved center and zoom #12883
- The location of the map is now stored correctly when saving a Region Map.
[Fix for #12963] Exclude stacktrace from error response of Timelion backend #12973
- the Timelion backend no longer includes the stacktrace as part of the server response. This stacktrace is now logged to the server console.
Visualization regression in Internet Explorer 11 causes fatal errors. A bug was introduced in Kibana version 5.5.2, when a user is using Internet Explorer 11 a full-page fatal error occurs when mousing over buckets in a bar or line chart. A workaround for this issue is to use any of the other supported browsers until a fix is released.