Kibana 7.14.1

edit

For information about the 7.14.1 release, review the following information.

Security updates

edit

Review the security updates that were found in previous versions of Kibana.

Code execution issue

Details
In Kibana 7.10.2 to 7.14.0, users with Fleet admin privileges could insecurely upload malicious packages. Due to an older version of the js-yaml library, attackers were able to execute commands on the Kibana server. CVE-2021-22150

Solution
Upgrade to Kibana 7.14.1.

Path traversal issue

Details
In Kibana 7.13.4 and earlier, Kibana was not validating the user supplied paths that upload .pbf files, allowing malicious users to arbitrarily traverse the Kibana host to load internal files that end in the .pbf extension. CVE-2021-22151

Thanks to Luat Nguyen of CyberJutsu for reporting this issue.

Solution
Upgrade to Kibana 7.14.1.

HTML injection issue

Details
In Kibana 7.14.0, Kibana was not sanitizing document fields that contain HTML snippets, allowing attackers with the ability to write documents to an Elasticsearch index to inject HTML. When Discover highlighted a search term that contained the HTML, the term was rendered. CVE-2021-37936

Solution
In Advanced Settings, set doc_table:highlight to false. If you do not want to change the Advanced Settings, upgrade to Kibana 7.14.1.

Node.js security vulnerabilities

Details
In Kibana 7.14.0 and earlier, Node.js 14.17.3 is affected by the following security vulnerabilities:

We do not believe an attacker can exploit the security vulnerabilities against Kibana, but are upgrading Node.js out of an abudance of caution. To resolve the security vulnerabilities, Kibana 7.14.1 upgrades Node.js to 14.17.5.

Solution
Upgrade to Kibana 7.14.1.

Known issues

edit

There are no known issues for 7.14.1. Before you upgrade, review the Known issue for 7.14.0.

Breaking changes

edit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade to 7.14.1, review the 7.14.0 breaking changes.

To review the breaking changes in previous versions, refer to the following:

7.13 | 7.12 | 7.11 | 7.10 | 7.9 | 7.8 | 7.7 | 7.6 | 7.5 | 7.4 | 7.3 | 7.2 | 7.1 | 7.0

Enhancements

edit
Elastic Security
For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
Platform
  • Adds new SavedObjectsRespository error type for 404 that do not originate from Elasticsearch responses #107301

Bug Fixes

edit
Alerting
  • Fixed bug that prevented the index threshold rule from properly working with a threshold below a value #105626
Canvas
  • Fixes numeric variable casting #109744
Dashboard
  • Adds ability to defer embeddable loaded state #107227
Design
  • Fixes accessibility focus trap issue #107292
Discover
  • Do not set source field when reading fields from source #109069
  • Fixes limit of 50 documents using classic table #108322
Elastic Security
For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
Fleet
  • Fixes integrations count in category facet #107652
Lens & Visualizations
  • Fixes small multiple title in dark mode #109966
Machine Learning
  • Fixes the job audit messages service #108526
Management
  • Fixes bug with highlighting in String field formatter #109401
  • Fixed _meta field failing server validation #109295
  • No data experience to handle default Fleet assets #108887
  • Load index pattern list without loading field lists #108823
  • Fixes policy request flyout requiring policy name to show json #108550
  • Searchsource should send all index patterns defined on the runtime field #108549
  • Fixes bug where search sessions management UI displays wrong warning #107556
Maps
  • Fixes a bug where auto fit to bounds was not working when map was embedded in a dashboard #109479
  • Fixes a bug where TableListView empty view trapped users with no action to create new item #109345
  • Fixes a bug where the edit layer settings action showed when for read-only users #109321
  • Fixes fonts api #107768
  • Fixes a bug where more than two maps embeddables with geo-shape layers resulted in empty layers for 3+ #107442
Metrics
  • Fixes a bug where default rules were created when opening the dropdown #107957
  • Fixes metric threshold preview regression #107674
Platform
  • Updated onboarding interstitial to handle default Fleet assets #108193
  • Adds support of partial results to the switch expression function #108086