Product release

Kibana 5.5.2, 4.6.6, and 2.4.6 plugins released

Hello, and welcome to the 5.5.2, 4.6.6 release of Kibana! We've also released the 2.4.6 versions of our reporting, graph, marvel, and shield plugins.  These releases contains some small bug fixes and important security fixes. Please see details below.

Kibana 5.5.2 is available on our downloads page and on Elastic Cloud. When you’re finished reading, take a look at the complete release notes for all the goodies.

Kibana 4.6.6 is also available on our  downloads page under "past releases" and only contains the changes for the security update.

Security Fixes

Kibana 5.5.2 and Kibana 4.6.6 security update


Kibana markdown parser Cross Site Scripting (XSS) error (ESA-2017-16)


Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.


Affected Versions: All prior to 5.5.2 and 4.6.6


Solutions and Mitigations:

Users should upgrade to Kibana version 5.5.2 or 4.6.6.




Reporting impersonation error (ESA-2017-17)


The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.


Affected Versions: All prior to 5.5.2 and 2.4.6


Solutions and Mitigations:

Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.


CVE ID: CVE-2017-8446


Bug Fixes


Discover

  • [Fix for #13365] Truncate long field names in filter editor #13379

Management

  • [Fix for #12728] Ensure conflicted fields can be searchable and/or aggregatable #13070

Visualization

  • [Fix for #13255] Ensure we are working with data-series to avoid tooltip errors #13266
  • [Fix for #12724] by default metric should not define color #12993
  • [Fix for #12391] in percentage mode tooltip should also show percentages #13217
    • Tooltips now correctly display the percentage-value in area charts where the Y-Axis is formatted in percentage mode.
  • Use the customMetric's formatter for pipeline aggregations #11933
  • [Fix for https://github.com/elastic/kibana/issues/12220] Should only fit on shapes that are part of the result #12881
    • When clicking the fit-data button in a Region Map, the map now zooms correctly to the relevant data instead of showing the entire layer.
  • [Fix for https://github.com/elastic/kibana/issues/12172] Save layer setting in the region map UI #12956
    • The layer selection is now preserved in the UI dropdown when saving a Region Map.
  • [Fix for https://github.com/elastic/kibana/issues/12189] Region map should respect saved center and zoom #12883
    • The location of the map is now stored correctly when saving a Region Map.
  • [Fix for #12963] Exclude stacktrace from error response of Timelion backend #12973
    • the Timelion backend no longer includes the stacktrace as part of the server response. This stacktrace is now logged to the server console.

Enhancements

Dev Tools

  • Respects ES customHeaders config for Console #13033