NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Kibana 6.8.11
editKibana 6.8.11
editSecurity updates
edit-
In Kibana 6.8.10 and earlier, there is a denial of service (DoS) flaw in Timelion. Attackers can construct a URL that when viewed by a Kibana user, the Kibana process consumes large amounts of CPU and becomes unresponsive, CVE-2020-7016.
You must upgrade to 6.8.11. If you are unable to upgrade, set
timelion.enabled
tofalse
in your kibana.yml file to disable Timelion. -
In all Kibana versions, region map visualizations contain a stored XSS flaw. Attackers that can edit or create region map visualizations can obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization, CVE-2020-7017.
You must upgrade to 6.8.11. If you are unable to upgrade, set
xpack.maps.enabled
,region_map.enabled
, andtile_map.enabled
tofalse
in kibana.yml to disable map visualizations.
Enhancements
edit- Platform
-
- Makes SameSite cookie’s attribute configurable #68108
- Security
-
-
Supports deep links inside of
RelayState
for SAML IdP initiated login #69401If users want to deep link into Kibana after a successful SAML Identity Provider initiated login, they can set
xpack.security.authc.providers.saml.<provider-name>.useRelayStateDeepLink
for a specific SAML authentication provider and provide a deep link in theRelayState
parameter.
-
Bug fixes
edit- Maps
-
- Loads configuration from EMS-metadata in region-maps #70888
- Security
-
-
Redirects to Logged Out UI on SAML Logout Response #69676
Previously Kibana redirected users to a default location as the last step of a SAML User/SP Initiated Single Logout (SP SLO), which forced users to log in again when the Login Selector UI was not available. Now, Kibana redirects users to either the Login Selector UI or the Logged Out UI at the end of SP SLO.
-