Kibana arbitrary code execution issue (ESA-2017-24)
Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.
This update removes the math aggregation feature from Kibana which was added in 6.1.0
Kibana version 6.1.0 is affected by this flaw. No other versions are affected.
Solutions and Mitigations:
Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set “metrics.enabled: false” in the kibana.yml file to disable the Time Series Visual Builder feature.
CVE ID: CVE-2017-1001002