Kibana arbitrary code execution issue (ESA-2017-24)
Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.
This update removes the math aggregation feature from Kibana which was added in 6.1.0
Affected Versions:
Kibana version 6.1.0 is affected by this flaw. No other versions are affected.
Solutions and Mitigations:
Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set “metrics.enabled: false” in the kibana.yml file to disable the Time Series Visual Builder feature.
CVE ID: CVE-2017-1001002