Security Updates coming to Kibana on ComposePublished
In keeping up with the latest Kibana and Elasticsearch security updates to protect all our Compose for Elasticsearch users, we're issuing a 7-day notice to update your Compose for Elasticsearch deployments for all users using Kibana on versions below 5.6.15 and 6.6.1.
The latest security update for Kibana addresses two particular security issues that affect Kibana users who run anything below versions 5.6.15 and 6.6.1. These security issues are related to a cross-site scripting (XSS) vulnerability and a flaw in the Timelion visualizer (see CVE-2019-7608 and CVE-2019-7609) where attackers could send a request to execute remote code. Therefore, in protecting users we've ceased to allow the provisioning of any Kibana versions below 5.6.15 and 6.6.1.
Due to the security update, we're no longer allowing users with Compose for Elasticsearch deployments below 5.6.15 on version 5.x, 6.6.1 on version 6.x, and all deployments on 2.x to provision Kibana.
We're giving all Kibana users seven days to update their Kibana and Compose for Elasticsearch deployments to compliant versions starting from today. This is in accordance with Compose's security upgrade policy.
Since Kibana versions are coupled with Elasticsearch versions, we urge all users who are using Kibana on Compose for Elasticsearch below versions 5.6.15 for version 5.x and 6.6.1 for version 6.x to update their Compose for Elasticsearch deployments by May 17th, 2019. For users on version 2.x, you'll need to upgrade your Compose for Elasticsearch deployment to either the major version 5.x or 6.x to use Kibana since there isn't a Kibana security patch available for 2.x.
After this date, we will begin force upgrading deployments that fall below versions 5.6.15 for version 5.x and 6.6.1 for version 6.x. For deployments that fall under version 2.x, we'll remove the Kibana add-on for these deployments altogether, and you'll need to upgrade your database to major version 5.x or 6.x to use Kibana with Compose for Elasticsearch.
What does this mean for existing Kibana users?
If you are using Kibana below 5.6.15 and 6.6.1, you'll need to update Kibana and your Compose for Elasticsearch deployment to 5.6.16 for version 5.x users or 6.6.2 for version 6.x users.
If you're updating to 5.6.16 for version 5.x or 6.6.2 for version 6.x, you can do that from the Compose for Elasticsearch console. You will see a green button that says "New version available" on the Compose for Elasticsearch console. You can press that button to do an in-place update to the latest minor version for that major version.
Users on Elasticsearch version 5.x and 6.x will see the something like:
Once that green button has been clicked, it will take you to a panel where you can specify the version you'd like to update to. For instance, version 6.x users will see:
After selecting the version and clicking the Change Version button on the bottom of the panel, another window will pop up asking you again if you want to update. Click "Ok" and then your deployment will start the update process.
When the update finishes, you'll need to remove your previous Kibana add-on then add it back to get the latest version for your updated Compose for Elasticsearch deployment. You can do that through the Add-ons menu from the Compose console on the left-hand menu towards the bottom.
After clicking Add-ons, you'll be taken to the Add-ons view. From there click on Configure next to your Kibana add on and that will take you to where you'll see something like the following with a Remove Kibana Add-on button.
Click that button to remove Kibana. After it has been removed, go back to the Add-ons panel by clicking the Add-ons button from the left-hand menu again. This time you'll click the Add button to add the latest version of Kibana back to your updated deployment.
Elasticsearch Version 2.x Users
If you're on version 2.x and want to continue using Kibana, you'll have to upgrade your Compose for Elasticsearch deployment to at least version 5.6.16 for version 5.x. Note, that indices created on version 1.x that have been migrated to version 2.x won't be compatible with version 5.x. Therefore, you'll have to reindex your data in version 2.x before upgrading to 5.x.
Guidance on reindexing Elasticsearch data is provided in their documentation. You can also open a support ticket for guidance.
If you have any questions or need help with the update, please contact our support who will be happy to assist you.
attribution Mike Kononov