A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users. Reference: https://discuss.elastic.co/t/7-12-1-security-update/271433
External References: https://discuss.elastic.co/t/7-12-1-security-update/271433
Statement: The kibana webhook actions are part of the X-Pack features [1]. In OpenShift Container Platform (OCP) the kibana components have X-Pack security features disabled by default. The X-Pack plugin can be used only in the enterprise version [2]. Hence the open source version is unaffected by this vulnerability. [1] https://www.elastic.co/guide/en/kibana/current/webhook-action-type.html [2] https://www.elastic.co/subscriptions
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22139