[DOCS] Adds security update to 6.8.9 release notes (#68129)

* [DOCS] Adds security update to 6.8.9 release notes * Removed Elasticsearch security update
2025-04-24 17:59:23 -04:00 · 2020-06-05 13:17:34 -05:00 · 2020-06-05 13:17:34 -05:00 · 04496bd188
commit 04496bd188
parent c86ecf5de5
1 changed files with 22 additions and 0 deletions
--- a/docs/CHANGELOG.asciidoc
+++ b/docs/CHANGELOG.asciidoc
@ -112,6 +112,28 @@ You must upgrade to 6.8.10. If you are unable to upgrade, set `metrics.enabled:f
 [[release-notes-6.8.9]]
 == {kib} 6.8.9

+[float]
+[[security-update-6.8.9]]
+=== Security updates
+* In 6.7.0 to 6.8.8, the Upgrade Assistant contains a prototype pollution flaw. An authenticated attacker with 
+privileges to write to the {kib} index can insert data that could cause {kib} to execute arbitrary code. This 
+could lead to an attacker executing code with the permissions of the {kib} process on the host system, CVE-2020-7012.
+
+By default, the Upgrade Assistant flaw is mitigated in all {kib} instances accessed through {ess}.
+
+For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, disable the Upgrade Assistant in your kibana.yml file:
+
+** In 6.7.0 and 6.7.1, set `upgrade_assistant.enabled:false`
+** In 6.7.2 and later, set `xpack.upgrade_assistant_enabled:false`
+
+* In 6.8.9 and earlier, TSVB contains a prototype pollution flaw. Authenticated attackers with privileges to create 
+TSVB visualizations can insert data that could cause {kib} to execute arbitrary code. This 
+could lead to an attacker executing code with the permissions of the {kib} process on the host system, CVE-2020-7013.
+
+By default, the Upgrade Assistant flaw is mitigated in all {kib} instances accessed through {ess}.
+
+For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, set `metrics.enabled:false` in your kibana.yml file to disable TSVB.
+
 [float]
 [[enhancement-6.8.9]]
 === Enhancement