Merge branch '7.15' into backport/7.15/pr-110685

elastic · Sep 3, 2021 · 69dae65 · 69dae65
2 parents 269dce4 + 71768bb
commit 69dae65
Show file tree

Hide file tree

Showing 23 changed files with 327 additions and 188 deletions.
diff --git a/docs/CHANGELOG.asciidoc b/docs/CHANGELOG.asciidoc
@@ -74,6 +74,63 @@ coming::[7.15.0]
 
 For information about the 7.14.1 release, review the following information.
 
+[float]
+[[security-updates-v7.14.1]]
+=== Security updates
+
+Review the security updates that were found in previous versions of {kib}.
+
+[discrete]
+[[code-execution-issue]]
+.Code execution issue
+[%collapsible]
+====
+*Details* +
+In {kib} 7.10.2 to 7.14.0, users with Fleet admin privileges could insecurely upload malicious packages. Due to an older version of the js-yaml library, attackers were able to execute commands on the {kib} server. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22150[CVE-2021-22150]
+*Solution* +
+Upgrade to {kib} 7.14.1.
+====    
+
+[discrete]
+[[path-traversal-issue]]
+.Path traversal issue
+[%collapsible]
+====
+*Details* +
+In {kib} 7.13.4 and earlier, {kib} was not validating the user supplied paths that upload .pbf files, allowing malicious users to arbitrarily traverse the {kib} host to load internal files that end in the .pbf extension. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22151[CVE-2021-22151]
+Thanks to Luat Nguyen of CyberJutsu for reporting this issue.
+*Solution* +
+Upgrade to {kib} 7.14.1.
+====    
+
+[discrete]
+[[html-injection-issue]]
+.HTML injection issue
+[%collapsible]
+====
+*Details* +
+In {kib} 7.14.0, {kib} was not sanitizing document fields that contain HTML snippets, allowing attackers with the ability to write documents to an {es} index to inject HTML. When *Discover* highlighted a search term that contained the HTML, the term was rendered. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37936[CVE-2021-37936]
+*Solution* +
+In <<advanced-options,*Advanced Settings*>>, set `doc_table:highlight` to `false`. If you do not want to change the *Advanced Settings*, upgrade to {kib} 7.14.1.
+====    
+
+[discrete]
+[[nodejs-security-vulnerabilities]]
+.Node.js security vulnerabilities
+[%collapsible]
+====
+*Details* +
+In {kib} 7.14.0 and earlier, Node.js 14.17.3 is affected by the following security vulnerabilities: 
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930[CVE-2021-22930]
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3672[CVE-2021-3672]
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22931[CVE-2021-22931]
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930[CVE-2021-22930]
+* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22939[CVE-2021-22939]
+We do not believe an attacker can exploit the security vulnerabilities against {kib}, but are upgrading Node.js out of an abudance of caution. To resolve the security vulnerabilities, {kib} 7.14.1 upgrades Node.js to 14.17.5.
+*Solution* +
+Upgrade to {kib} 7.14.1.
+====    
+
 [float]
 [[breaking-changes-v7.14.1]]
 === Breaking changes

diff --git a/docs/spaces/images/edit-space-feature-visibility.png b/docs/spaces/images/edit-space-feature-visibility.png
diff --git a/docs/spaces/images/edit-space.png b/docs/spaces/images/edit-space.png
diff --git a/docs/spaces/images/spaces-roles.png b/docs/spaces/images/spaces-roles.png
diff --git a/docs/spaces/index.asciidoc b/docs/spaces/index.asciidoc
@@ -8,29 +8,18 @@ the dashboards and saved objects that belong to that space.
 
 {kib} creates a default space for you.
 After you create your own
-spaces, you're asked to choose a space when you log in to Kibana. You can change your
+spaces, you're asked to choose a space when you log in to {kib}. You can change your
 current space at any time by using the menu.
 
 [role="screenshot"]
 image::images/change-space.png["Change current space menu"]
 
-Kibana supports spaces in several ways.  You can:
-
-[[spaces-getting-started]]
-
-* <<spaces-managing, View&comma; create&comma; and delete spaces>>
-* <<spaces-control-feature-visibility, Control feature access based on user needs>>
-* <<spaces-control-user-access, Control feature access based on user privileges>>
-* <<spaces-moving-objects, Move objects between spaces>>
-* <<spaces-default-route, Configure a Space-level landing page>>
-* <<spaces-delete-started, Disable the Spaces feature>>
-
 [float]
-==== Required permissions
+==== Required privileges
 
 The `kibana_admin` role or equivalent is required to manage **Spaces**.
 
-TIP: Looking to support multiple tenants? See <<xpack-security-multiple-tenants, the Security documentation>> for more information.
+TIP: Looking to support multiple tenants? Refer to <<xpack-security-multiple-tenants, the Security documentation>> for more information.
 
 [float]
 [[spaces-managing]]
@@ -71,14 +60,14 @@ You can't delete the default space, but you can customize it to your liking.
 === Control feature access based on user needs
 
 You have control over which features are visible in each space.
-For example, you might hide Dev Tools
-in your "Executive" space or show Stack Monitoring only in your "Admin" space.
+For example, you might hide *Dev Tools*
+in your "Executive" space or show *Stack Monitoring* only in your "Admin" space.
 You can define which features to show or hide when you add or edit a space.
 
 Controlling feature
 visibility is not a security feature. To secure access
 to specific features on a per-user basis, you must configure
-<<xpack-security-authorization, Kibana Security>>.
+<<xpack-security-authorization, {kib} Security>>.
 
 [role="screenshot"]
 image::images/edit-space-feature-visibility.png["Controlling features visiblity"]
@@ -87,12 +76,12 @@ image::images/edit-space-feature-visibility.png["Controlling features visiblity"
 [[spaces-control-user-access]]
 === Control feature access based on user privileges
 
-When using Kibana with security, you can configure applications and features
+When using {kib} with security, you can configure applications and features
 based on your users’ privileges. This means different roles can have access
 to different features in the same space.
 Power users might have privileges to create and edit visualizations and dashboards,
-while analysts or executives might have Dashboard and Canvas with read-only privileges.
-See <<adding_kibana_privileges>> for details.
+while analysts or executives might have read-only privileges for *Dashboard* and *Canvas*.
+Refer to <<adding_kibana_privileges>> for details.
 
 [role="screenshot"]
 image::images/spaces-roles.png["Controlling features visiblity"]
@@ -105,7 +94,7 @@ To move saved objects between spaces, you can <<managing-saved-objects-copy-to-s
 
 [float]
 [[spaces-default-route]]
-=== Configure a Space-level landing page
+=== Configure a space-level landing page
 
 You can create a custom experience for users by configuring the {kib} landing page on a per-space basis.
 The landing page can route users to a specific dashboard, application, or saved object as they enter each space.
@@ -123,9 +112,8 @@ image::images/spaces-configure-landing-page.png["Configure space-level landing p
 === Disable and version updates
 
 Spaces are automatically enabled in {kib}. If you don't want use this feature,
-you can disable it
-by setting `xpack.spaces.enabled` to `false` in your
-`kibana.yml` configuration file.
+you can disable it. For more information, refer to <<spaces-settings-kb,Spaces settings in {kib}>>.
+
+When you upgrade {kib}, the default space contains all of your existing saved objects.
+
 
-If you are upgrading your
-version of {kib}, the default space will contain all of your existing saved objects.
diff --git a/docs/user/dashboard/dashboard.asciidoc b/docs/user/dashboard/dashboard.asciidoc
@@ -283,37 +283,15 @@ To enable series interactions, refer to <<settings-explore-data-in-chart,`xpack.
 [[download-csv]]
 == Download panel data
 
-Download panel data in a CSV file. You can download most panels in a CSV file, but there is a shortcut available
-for *Lens* panels.
-
-[float]
-[role="xpack"]
-[[download-lens-data]]
-=== Download Lens data
-
-When you download *Lens* panel data, each layer produces a single CSV file with columns.
-When you download multiple layers, the file names combine the visualization and layer index names.
-
-. Open the *Lens* panel menu
-
-. Select *More > Download as CSV*.
-
-[float]
-[[download-other-panel-data]]
-=== Download all other panel data
-
-Download the data for non-*Lens* panels.  
+Download panel data in a CSV file. When you download visualization panels with multiple layers, each layer produces a CSV file, and the file names contain the visualization and layer index names.
 
 . Open the panel menu, then select *Inspect*.
 
-. Click *Download CSV*, then select the CSV type from the dropdown:
+. Click *Download CSV*, then select the format type from the dropdown:
 
 * *Formatted CSV* &mdash; Contains human-readable dates and numbers.
 
 * *Unformatted* &mdash; Best used for computer use.
-+
-[role="screenshot"]
-image:images/Dashboard_inspect.png[Inspect in dashboard]
 
 [float]
 [[defer-loading-panels-below-the-fold]]