Kibana 7.14.1edit

For information about the 7.14.1 release, review the following information.

Security updatesedit

Review the security updates that were found in previous versions of Kibana.

Code execution issue

In Kibana 7.10.2 to 7.14.0, users with Fleet admin privileges could insecurely upload malicious packages. Due to an older version of the js-yaml library, attackers were able to execute commands on the Kibana server. CVE-2021-22150

Upgrade to Kibana 7.14.1.

Path traversal issue

In Kibana 7.13.4 and earlier, Kibana was not validating the user supplied paths that upload .pbf files, allowing malicious users to arbitrarily traverse the Kibana host to load internal files that end in the .pbf extension. CVE-2021-22151

Thanks to Luat Nguyen of CyberJutsu for reporting this issue.

Upgrade to Kibana 7.14.1.

HTML injection issue

In Kibana 7.14.0, Kibana was not sanitizing document fields that contain HTML snippets, allowing attackers with the ability to write documents to an Elasticsearch index to inject HTML. When Discover highlighted a search term that contained the HTML, the term was rendered. CVE-2021-37936

In Advanced Settings, set doc_table:highlight to false. If you do not want to change the Advanced Settings, upgrade to Kibana 7.14.1.

Node.js security vulnerabilities

In Kibana 7.14.0 and earlier, Node.js 14.17.3 is affected by the following security vulnerabilities:

We do not believe an attacker can exploit the security vulnerabilities against Kibana, but are upgrading Node.js out of an abudance of caution. To resolve the security vulnerabilities, Kibana 7.14.1 upgrades Node.js to 14.17.5.

Upgrade to Kibana 7.14.1.

Known issuesedit

There are no known issues for 7.14.1. Before you upgrade, review the Known issue for 7.14.0.

Breaking changesedit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade to 7.14.1, review the 7.14.0 breaking changes.

To review the breaking changes in previous versions, refer to the following:

7.13 | 7.12 | 7.11 | 7.10 | 7.9 | 7.8 | 7.7 | 7.6 | 7.5 | 7.4 | 7.3 | 7.2 | 7.1 | 7.0


Elastic Security
For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
  • Adds new SavedObjectsRespository error type for 404 that do not originate from Elasticsearch responses #107301

Bug Fixesedit

  • Fixed bug that prevented the index threshold rule from properly working with a threshold below a value #105626
  • Fixes numeric variable casting #109744
  • Adds ability to defer embeddable loaded state #107227
  • Fixes accessibility focus trap issue #107292
  • Do not set source field when reading fields from source #109069
  • Fixes limit of 50 documents using classic table #108322
Elastic Security
For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
  • Fixes integrations count in category facet #107652
Lens & Visualizations
  • Fixes small multiple title in dark mode #109966
Machine Learning
  • Fixes the job audit messages service #108526
  • Fixes bug with highlighting in String field formatter #109401
  • Fixed _meta field failing server validation #109295
  • No data experience to handle default Fleet assets #108887
  • Load index pattern list without loading field lists #108823
  • Fixes policy request flyout requiring policy name to show json #108550
  • Searchsource should send all index patterns defined on the runtime field #108549
  • Fixes bug where search sessions management UI displays wrong warning #107556
  • Fixes a bug where auto fit to bounds was not working when map was embedded in a dashboard #109479
  • Fixes a bug where TableListView empty view trapped users with no action to create new item #109345
  • Fixes a bug where the edit layer settings action showed when for read-only users #109321
  • Fixes fonts api #107768
  • Fixes a bug where more than two maps embeddables with geo-shape layers resulted in empty layers for 3+ #107442
  • Fixes a bug where default rules were created when opening the dropdown #107957
  • Fixes metric threshold preview regression #107674
  • Updated onboarding interstitial to handle default Fleet assets #108193
  • Adds support of partial results to the switch expression function #108086