Kibana 7.6.1edit

See breaking changes in 7.6.

Security issuesedit

In Kibana 7.6.0 and earlier, Node.js contains the following security issues:

  • The TLS handling code for Node.js includes a Denial of Service (DoS) issue. Successful exploitation of the flaw could result in Kibana crashing. Refer to https://www.elastic.co/community/security/, CVE-2019-15604.

    There are no known workarounds for this issue.

  • There are issues with how Node.js handles malformed HTTP headers. The malformed headers could result in an HTTP request smuggling attack when Kibana is running behind a proxy that is vulnerable to HTTP request smuggling attacks. Refer to https://www.elastic.co/community/security/, CVE-2019-15605 and CVE-2019-15606.

    For instructions on how to mitigate HTTP request smuggling attacks, contact your proxy vendor.

Administrators running Kibana in an environment with untrusted users should upgrade to Kibana 7.6.1, which updates Node.js to 10.19.0.

Enhancementsedit

SIEM
  • Imports rules unit tests #57466

Bug fixesedit

APM
  • Fixes cloud env in APM tutorial #57817
  • Adds xpack.apm.enabled key to config schema #57539
  • X-axis labels on Error occurrences chart are incorrect based on Kibana timezone #55686
Canvas
  • Sanitizes workpad before sending to API #57704
Lens and visualizations
  • Fixes bugs in Lens filters (#56441) #56648
  • Makes field stats work for index patterns without time fields #56759
  • Fixes auto refresh in visualizations and Lens #57667
Machine Learning
  • Fixes Data Visualizer responsive layout #56372
  • Fixes overall stats for saved search on the Data Visualizer page #57312
  • Fixes jobs list default refresh #57086
  • Updates schema definition for create route #56979
  • Fixes brush visibility. #57564
  • Fixes chart resize after browser refresh #57578
  • Fixes hiding date picker for settings pages #57544
Management
  • Allows support for nested multi-fields #58203
  • Fixes performance bottleneck for large JSON payloads #57668
  • Fixes filter deprecations search filter #57541
Maps
  • Sets filter.meta.key to geoFieldName so query passes filterMatchesIndex when ignoreFilterIfFieldNotInIndex is true #56692
  • Fixes document source top hits split by scripted field #57481
  • Only request field in docvalue_fields when the field supports doc values #57372
Monitoring
  • Fixes issue when index pattern has no fields #58242
  • Fixes inaccuracies in Logstash pipeline listing metrics #55868
Platform
  • Limits fetching index patterns #56603
  • Fixes browser date format #57714
  • Prepends basePath in getUrlForApp #57316
  • Uses app id instead of pluginId to generate navlink from legacy apps #57542
  • Retries ES API calls that fail with 410/Gone to prevent Kibana from crashing at startup #56950
  • Removes injected reference from home app #57836
Security
  • Logout should redirect to the login screen at the server base path #56786
  • Adds xpack.encryptedSavedObjects.encryptionKey to docker allow-list #58291
  • Fixes short url in spaces #58313
SIEM
  • Backend end-to-end tests #57166
  • Removes internal tags when copying signals from rules #57744
  • Fixes return codes where some were rule_id instead of id #57939
  • Fixes Host Details Events Table to only show events for specified Host #57388
Uptime
  • Uses scripted metric for snapshot calculation #58247