Kbn-ui-shared-deps-npm.dll.js blocked by meraki

Hey everyone!

Recently we've been having issues connecting to kibana under some circumstances:

After not seeing anything in the server logs, we realized something seemed to be blocked in the console:

And then IT confirmed that it was our Meraki firewall blocking that javascript file:

Googling it brought up this package from npm, which actually claims it was taken down for containing malicious code, but I couldn't find anything in the actual advisories, and I'm not convinced this is the package contained in kibana.

Before I ask IT to whitelist this, does anyone have any insight into why this might be happening and if there's an actual security risk? This happens on fresh installs on windows or linux and without any plugins installed.

What is your version of the stack?

@tiagocosta / @jbudz can we please get some help here?

Thanks,
Bhavya

Hey! Thanks for taking a look!

This happens to us on multiple deployments, most of which are on 7.17.3, however it also happens for a brand new 8.4 cluster.

As mentioned we can solve this by whitelisting, but we would obviously still prefer it if we could figure out why this package is being blocked in the fiest place.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Hi,

The file kbn-ui-shared-deps-npm.dll.js is not an npm package and is a bundle we build as part of the Kibana build with a couple of stateful node_modules we use on Kibana. This file is served through a package called @kbn/ui-shared-deps-npm which is in the node_modules folder but its not distributed over the npm. We built it locally and ship it as part of the Kibana distributable.

On the security side the announcements are available at Security Announcements - Discuss the Elastic Stack and Security issues | Elastic where you can check if a given version should be updated or not. For the ones you mentioned I would advise you to update into v7.17.7 or v8.5.0.

Cheers