A flaw in Kibana’s session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
References:
https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
Comment 2Przemyslaw Roguski
2021-04-02 15:23:12 UTC
Statement:
In OpenShift Container Platform (OCP) the kibana components have X-Pack security features disabled by default. The X-Pack plugin can be used only is an enterprise version [1].
Hence the open source version is unaffected by this vulnerability.
[1] https://www.elastic.co/subscriptions