Kibana 7.14.1edit
For information about the 7.14.1 release, review the following information.
Security updatesedit
Review the security updates that were found in previous versions of Kibana.
Code execution issue
Details
In Kibana 7.10.2 to 7.14.0, users with Fleet admin privileges could insecurely upload malicious packages. Due to an older version of the js-yaml library, attackers were able to execute commands on the Kibana server. CVE-2021-22150
Solution
Upgrade to Kibana 7.14.1.
Path traversal issue
Details
In Kibana 7.13.4 and earlier, Kibana was not validating the user supplied paths that upload .pbf files, allowing malicious users to arbitrarily traverse the Kibana host to load internal files that end in the .pbf extension. CVE-2021-22151
Thanks to Luat Nguyen of CyberJutsu for reporting this issue.
Solution
Upgrade to Kibana 7.14.1.
HTML injection issue
Details
In Kibana 7.14.0, Kibana was not sanitizing document fields that contain HTML snippets, allowing attackers with the ability to write documents to an Elasticsearch index to inject HTML. When Discover highlighted a search term that contained the HTML, the term was rendered. CVE-2021-37936
Solution
In Advanced Settings, set doc_table:highlight to false. If you do not want to change the Advanced Settings, upgrade to Kibana 7.14.1.
Node.js security vulnerabilities
Details
In Kibana 7.14.0 and earlier, Node.js 14.17.3 is affected by the following security vulnerabilities:
We do not believe an attacker can exploit the security vulnerabilities against Kibana, but are upgrading Node.js out of an abudance of caution. To resolve the security vulnerabilities, Kibana 7.14.1 upgrades Node.js to 14.17.5.
Solution
Upgrade to Kibana 7.14.1.
Known issuesedit
There are no known issues for 7.14.1. Before you upgrade, review the Known issue for 7.14.0.
Breaking changesedit
Breaking changes can prevent your application from optimal operation and performance. Before you upgrade to 7.14.1, review the 7.14.0 breaking changes.
To review the breaking changes in previous versions, refer to the following:
7.13 | 7.12 | 7.11 | 7.10 | 7.9 | 7.8 | 7.7 | 7.6 | 7.5 | 7.4 | 7.3 | 7.2 | 7.1 | 7.0
Enhancementsedit
- Elastic Security
- For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
- Platform
-
- Adds new SavedObjectsRespository error type for 404 that do not originate from Elasticsearch responses #107301
Bug Fixesedit
- Alerting
-
- Fixed bug that prevented the index threshold rule from properly working with a threshold below a value #105626
- Canvas
-
- Fixes numeric variable casting #109744
- Dashboard
-
- Adds ability to defer embeddable loaded state #107227
- Design
-
- Fixes accessibility focus trap issue #107292
- Discover
- Elastic Security
- For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
- Fleet
-
- Fixes integrations count in category facet #107652
- Lens & Visualizations
-
- Fixes small multiple title in dark mode #109966
- Machine Learning
-
- Fixes the job audit messages service #108526
- Management
-
- Fixes bug with highlighting in String field formatter #109401
- Fixed _meta field failing server validation #109295
- No data experience to handle default Fleet assets #108887
- Load index pattern list without loading field lists #108823
- Fixes policy request flyout requiring policy name to show json #108550
- Searchsource should send all index patterns defined on the runtime field #108549
- Fixes bug where search sessions management UI displays wrong warning #107556
- Maps
-
- Fixes a bug where auto fit to bounds was not working when map was embedded in a dashboard #109479
- Fixes a bug where TableListView empty view trapped users with no action to create new item #109345
- Fixes a bug where the edit layer settings action showed when for read-only users #109321
- Fixes fonts api #107768
- Fixes a bug where more than two maps embeddables with geo-shape layers resulted in empty layers for 3+ #107442
- Metrics
- Platform