Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive. References: https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786 https://www.elastic.co/community/security/
External References: https://discuss.elastic.co/t/elastic-stack-6-8-11-and-7-8-1-security-update/242786 https://www.elastic.co/community/security/
Statement: In Red Hat OpenShift Container Platform (RHOCP) the affected Kibana component is behind OpenShift OAuth authentication. This restricts access to the vulnerable Timelion Kibana component to authenticated users only, therefore the impact is Low. Red Hat OpenShift Container Platform 4 delivers Kibana package where the Timelion tool is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.