Elastic Timelion Visualization Plugin Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Timelion visualization plugin of Kibana. This issue arises from improper validation of input quantities, allowing authenticated users to send specially crafted Timelion expressions. These expressions can overwrite internal series data properties with excessively large values, leading to excessive memory allocation and causing the Node.js process to crash. The vulnerability affects Kibana versions 8.0.0 prior to 8.19.12, as well as 9.0.0 prior to 9.2.6 and 9.3.0 prior to 9.3.1.

Impact

Exploitation of this vulnerability causes the Kibana server to run out of memory, leading to a crash of the Node.js process. This can disrupt service and availability for users.

Remediation

Users can upgrade to Kibana versions 8.19.13, 9.2.7, or 9.3.2 to address this vulnerability. For users who cannot upgrade, the Timelion plugin can be disabled in the Kibana config YAML file by setting 'vis_type_timelion.enabled' to false. However, this workaround is not available for Elastic Cloud users.