Hi,
I am using Kibana 7.2.1 which bundled with node.js 10.15.2. But recently, Node.js has been found to have certain security violation (eg. cve-2019-9511): https://nodejs.org/en/blog/release/v10.16.3/
I would like to know if it is ok to use the node.js that has the security issue fixed (10.16.3) with Kibana 7.2.1. I can change the package.json to use the higher version and it seems to run ok. Any idea if this is ok or not?
Thanks,
Hello,
It can be a little hard to know. It's frequently just fine, but occasionally there are breaking changes. I double-checked our last Pull Request that updated node from one minor version to another. Here's a link to the files changed just so you're aware of what should probably be updated. The command updates will be different and there may or may not be updates necessary for these in your case.
Regards,
Aaron
That CVE does not affect the Kibana server since we are not leveraging HTTP/2 at this time.
The issue is not whether it affect Kibana Server or not. Since it is bundled with Kibana, and vulnerabilities scanner will flag it. As Kibana is running ontop of node, so the question is whether that base node.js itself is vulunerable or not.
To answer your original question; the patch bump shouldn't adversely affect Kibana if they are strictly adhering to SEMVER. However, we can not guarantee it without bumping it within Kibana itself.
In regards to the CVE, I am going to have to direct you to contact security@elastic.co per https://www.elastic.co/community/security
ok, thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.