The 5.4.1 and 5.3.3 releases contain important security fixes, and we recommend that you upgrade as soon as possible. Please read the details below.

Kibana instances on Elastic Cloud for previous versions of 5.4 and 5.3 will be upgraded automatically.

Security Fixes

Beginning in Kibana 5.3.0, the discovery app in Kibana is vulnerable to an cross-site scripting attack (XSS) that would allow an attacker to inject JavaScript into other user’s browsers via Elasticsearch documents. This was made possible by the field formatters plugin API and how it handled compiling of template values in the discover doc table. Versions 5.3.3 and 5.4.1 include a fix for this vulnerability by changing the binding and compilation behavior for field formatters. Thanks to Thomas Gøytil for reporting this issue. ESA-2017-08 (#11911)

The time series visual builder that was released in 5.4.0 is vulnerable to a cross-site scripting attack (XSS), where a malicious user could embed HTML into markdown documents that could result in JavaScript being executed in other users' browsers. This could be abused to steal sensitive information or to perform destructive actions on behalf of other users. 5.4.1 fixes this vulnerability by no longer allowing HTML in markdown documents. ESA-2017-07 (#11770)

Download Kibana

Kibana 5.4.1 Release Notes

Kibana 5.3.3 Release Notes

Other fixes in 5.4.1