- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 7.14
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Development tools settings
- Graph settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Machine learning settings
- Monitoring settings
- Reporting settings
- Secure settings
- Search sessions settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure monitoring
- Production considerations
- Discover
- Dashboard
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Stack Monitoring
- Stack Management
- Fleet
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Shorten URL
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Accessibility
- Release notes
- Developer guide
Kibana 7.14.1
editKibana 7.14.1
editFor information about the 7.14.1 release, review the following information.
Security updates
editReview the security updates that were found in previous versions of Kibana.
Code execution issue
Details
In Kibana 7.10.2 to 7.14.0, users with Fleet admin privileges could insecurely upload malicious packages. Due to an older version of the js-yaml library, attackers were able to execute commands on the Kibana server. CVE-2021-22150
Solution
Upgrade to Kibana 7.14.1.
Path traversal issue
Details
In Kibana 7.13.4 and earlier, Kibana was not validating the user supplied paths that upload .pbf files, allowing malicious users to arbitrarily traverse the Kibana host to load internal files that end in the .pbf extension. CVE-2021-22151
Thanks to Luat Nguyen of CyberJutsu for reporting this issue.
Solution
Upgrade to Kibana 7.14.1.
HTML injection issue
Details
In Kibana 7.14.0, Kibana was not sanitizing document fields that contain HTML snippets, allowing attackers with the ability to write documents to an Elasticsearch index to inject HTML. When Discover highlighted a search term that contained the HTML, the term was rendered. CVE-2021-37936
Solution
In Advanced Settings, set doc_table:highlight to false. If you do not want to change the Advanced Settings, upgrade to Kibana 7.14.1.
Node.js security vulnerabilities
Details
In Kibana 7.14.0 and earlier, Node.js 14.17.3 is affected by the following security vulnerabilities:
We do not believe an attacker can exploit the security vulnerabilities against Kibana, but are upgrading Node.js out of an abudance of caution. To resolve the security vulnerabilities, Kibana 7.14.1 upgrades Node.js to 14.17.5.
Solution
Upgrade to Kibana 7.14.1.
Known issues
editThere are no known issues for 7.14.1. Before you upgrade, review the Known issue for 7.14.0.
Breaking changes
editBreaking changes can prevent your application from optimal operation and performance. Before you upgrade to 7.14.1, review the 7.14.0 breaking changes.
To review the breaking changes in previous versions, refer to the following:
7.13 | 7.12 | 7.11 | 7.10 | 7.9 | 7.8 | 7.7 | 7.6 | 7.5 | 7.4 | 7.3 | 7.2 | 7.1 | 7.0
Enhancements
edit- Elastic Security
- For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
- Platform
-
- Adds new SavedObjectsRespository error type for 404 that do not originate from Elasticsearch responses #107301
Bug Fixes
edit- Alerting
-
- Fixed bug that prevented the index threshold rule from properly working with a threshold below a value #105626
- Canvas
-
- Fixes numeric variable casting #109744
- Dashboard
-
- Adds ability to defer embeddable loaded state #107227
- Design
-
- Fixes accessibility focus trap issue #107292
- Discover
- Elastic Security
- For the Elastic Security 7.14.1 release information, refer to Elastic Security Solution Release Notes.
- Fleet
-
- Fixes integrations count in category facet #107652
- Lens & Visualizations
-
- Fixes small multiple title in dark mode #109966
- Machine Learning
-
- Fixes the job audit messages service #108526
- Management
-
- Fixes bug with highlighting in String field formatter #109401
- Fixed _meta field failing server validation #109295
- No data experience to handle default Fleet assets #108887
- Load index pattern list without loading field lists #108823
- Fixes policy request flyout requiring policy name to show json #108550
- Searchsource should send all index patterns defined on the runtime field #108549
- Fixes bug where search sessions management UI displays wrong warning #107556
- Maps
-
- Fixes a bug where auto fit to bounds was not working when map was embedded in a dashboard #109479
- Fixes a bug where TableListView empty view trapped users with no action to create new item #109345
- Fixes a bug where the edit layer settings action showed when for read-only users #109321
- Fixes fonts api #107768
- Fixes a bug where more than two maps embeddables with geo-shape layers resulted in empty layers for 3+ #107442
- Metrics
- Platform