Kibana Node.js - JavaScript run-time environment is affected by multiple vulnerabilities

After scanning it was discovered that
Solution:
Upgrade to Node.js version 18.19.1 / 20.11.1 / 21.6.2 or later.

Path : /usr/share/kibana/node/bin/node
Installed version : 18.18.2
Fixed version : 18.19.1

The version of Node.js installed on the remote host is prior to 18.19.1, 20.11.1, 21.6.2. It is, therefore, affected by multiple vulnerabilities as referenced in the Wednesday February 14 2024 Security Releases advisory.

  - On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user     while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due     to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when     certain other capabilities have been set. This allows unprivileged users to inject code that inherits the     process's elevated privileges. Impacts: Thank you, to Tobias Nieen for reporting this vulnerability and     for fixing it. (CVE-2024-21892)
....

In which version of Kibana will the vulnerability be fixed and is it planned to do so? Thank you.

Hi @San9

I can see that latest Kibana 8.12.2 and 8,.13 are using safe versions f Node.js .
You can upgrade to those versions.

I’m currently using version 8.12.2, but the problem remains, I thought it would be fixed in 8.12.2.

sorry, my mistake.
Kibana 8.12.2 is using a version who is still below Node.js 18.19.x .
Kibana 8.13 uses a safe version.

Thank you. Then we will update the cluster to the latest version 8.13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.