Kibana 6.8.14

edit

The 6.8.14 release includes a security update and fixes one issue.

Security update

edit

Vega visualizations are susceptible to stored and reflected XSS via a vulnerable version of the Vega library. When you create Vega visualizations or create a vulnerable URL that describes the visualization, an arbitrary JavaScript can execute in your browser.

Affected versions

edit

Affected versions include 6.8.13 and earlier.

Solution

edit

Verify if you use Vega visualizations, then complete the following:

  • If you use Vega visualizations, upgrade to 6.8.14.
  • If you do not use Vega visualizations, open your kibana.yml file, then change vega.enabled: true to vega.enabled: false.

Bug fix

edit
Reporting
  • Fixes an issue where a failed request in the headless browser running the screenshot capture would log an obscured error #88118