server.customResponseHeadersoption prevents Kibana from starting if headers are set using a type other than string. To fix this, convert your boolean and number headers to strings. For example, use
my-header: "true"instead of
my-header: true. #66146
In Kibana 7.6.0 and earlier, Node.js contains the following security issues:
The TLS handling code for Node.js includes a Denial of Service (DoS) issue. Successful exploitation of the flaw could result in Kibana crashing. Refer to https://www.elastic.co/community/security/, CVE-2019-15604.
There are no known workarounds for this issue.
There are issues with how Node.js handles malformed HTTP headers. The malformed headers could result in an HTTP request smuggling attack when Kibana is running behind a proxy that is vulnerable to HTTP request smuggling attacks. Refer to https://www.elastic.co/community/security/, CVE-2019-15605 and CVE-2019-15606.
For instructions on how to mitigate HTTP request smuggling attacks, contact your proxy vendor.
Administrators running Kibana in an environment with untrusted users should upgrade to Kibana 7.6.1, which updates Node.js to 10.19.0.
- Imports rules unit tests #57466
- Sanitizes workpad before sending to API #57704
- Lens and visualizations
- Machine Learning
- Fixes Data Visualizer responsive layout #56372
- Fixes overall stats for saved search on the Data Visualizer page #57312
- Fixes jobs list default refresh #57086
- Updates schema definition for create route #56979
- Fixes brush visibility. #57564
- Fixes chart resize after browser refresh #57578
- Fixes hiding date picker for settings pages #57544
- Limits fetching index patterns #56603
- Fixes browser date format #57714
- Prepends basePath in getUrlForApp #57316
- Uses app id instead of pluginId to generate navlink from legacy apps #57542
- Retries ES API calls that fail with 410/Gone to prevent Kibana from crashing at startup #56950
- Removes injected reference from home app #57836
- Uses scripted metric for snapshot calculation #58247