When will the patch be available for CVE-2023-38552/39331/39332/44487 upgrading nodejs >= 18.18.2

When will the fix for CVE-2023-38552/39331/39332/44487 upgrading nodejs >= 18.18.2 be available in the Kibana 8.10.x version?

Hi @stanislasm, this pull request merged Node 18.18.2 into the 8.10.x branch.

The PR above merged after the release of Kibana 8.10.4, which is the latest 8.10.x release. As a result of this timing, the next version of Kibana that includes Node 18.18.2 will be Kibana 8.11.0. I can't promise a specicic date for the release of 8.11.0, but it's expected to be available soon.

Hi @Andrew_G
Great, thank you for your response!


Hello, can you tell me Kibana version 8.10.4 already with Node 18.18.2? otherwise my scanner complains that there is still an old version.

Kibana 8.11.1 is out, and I believe this should have the new version of node.js.

1 Like

Yes, I already installed it.
Is it really possible to update this component separately? or too many dependencies?

You should always look to keep Elasticsearch and Kibana on the same version. Other components are as far as I know generally less sensitive.

I mean node.js as a component in the kibana package.
Yes, that's right, the major and minor versions must match.

Thanks all for the conversation above!

In summary:

  • Elastic Security 8.11.1, which includes node 18.18.2, is available
  • The previous 8.10.x version of Kibana, 8.10.4, was NOT tested with node 18.18.2. In general, avoid paring Kibana with untested versions of node
  • Always upgrade all components of the Elastic stack together, via Elastic Cloud or the instructions for on-prem

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.