Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider. References: https://www.elastic.co/blog/elastic-support-alert-kibana-reporting-vulnerability https://www.elastic.co/community/security
The PDF report generation is part of x-pack. Prior to version 6.3 x-pack was not a default part of the opensource project and not included in the packages provided by Red Hat.
openshift-enterprise-3.x: as stated in comment 1, no release of OCP so far includes a version of kibana which includes x-pack