Kibana 6.1.1 security update


(Josh Bressers) #1

Kibana arbitrary code execution issue (ESA-2017-24)
Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.

This update removes the math aggregation feature from Kibana which was added in 6.1.0

Affected Versions:
Kibana version 6.1.0 is affected by this flaw. No other versions are affected.

Solutions and Mitigations:
Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set “metrics.enabled: false” in the kibana.yml file to disable the Time Series Visual Builder feature.

CVE ID: CVE-2017-1001002