[DOCS] Adds security update to 6.8.9 release notes (elastic#68129)

* [DOCS] Adds security update to 6.8.9 release notes * Removed Elasticsearch security update
jportner · Jun 5, 2020 · 04496bd · 04496bd
1 parent c86ecf5
commit 04496bd
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/docs/CHANGELOG.asciidoc b/docs/CHANGELOG.asciidoc
@@ -112,6 +112,28 @@ You must upgrade to 6.8.10. If you are unable to upgrade, set `metrics.enabled:f
 [[release-notes-6.8.9]]
 == {kib} 6.8.9
 
+[float]
+[[security-update-6.8.9]]
+=== Security updates
+* In 6.7.0 to 6.8.8, the Upgrade Assistant contains a prototype pollution flaw. An authenticated attacker with 
+privileges to write to the {kib} index can insert data that could cause {kib} to execute arbitrary code. This 
+could lead to an attacker executing code with the permissions of the {kib} process on the host system, CVE-2020-7012.
++
+By default, the Upgrade Assistant flaw is mitigated in all {kib} instances accessed through {ess}.
++
+For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, disable the Upgrade Assistant in your kibana.yml file:
+
+** In 6.7.0 and 6.7.1, set `upgrade_assistant.enabled:false`
+** In 6.7.2 and later, set `xpack.upgrade_assistant_enabled:false`
+
+* In 6.8.9 and earlier, TSVB contains a prototype pollution flaw. Authenticated attackers with privileges to create 
+TSVB visualizations can insert data that could cause {kib} to execute arbitrary code. This 
+could lead to an attacker executing code with the permissions of the {kib} process on the host system, CVE-2020-7013.
++
+By default, the Upgrade Assistant flaw is mitigated in all {kib} instances accessed through {ess}.
++
+For all other installations, you must upgrade to 6.8.9. If you are unable to upgrade, set `metrics.enabled:false` in your kibana.yml file to disable TSVB.
+
 [float]
 [[enhancement-6.8.9]]
 === Enhancement