[Compatibility] Kibana 7.16.x

[Desvelao]

Description

We go to check the compatibility of the Wazuh app with Kibana 7.16.x.

Note the recently reported vulnerability for log4j, package used by Elasticsearch, was fixed in its 7.16.1 version, as it is recommended to install the same Kibana version that the Elasticsearch, it is important to give support to Kibana 7.16.1 or later despite the fact that other Kibana versions could be compatible with Elasticsearch 7.16.1. The vulnerability is not affecting Kibana directly.

Tasks

• Check if Kibana has breaking changes that affect to Wazuh app.
• Try to run the Wazuh app in a development environment. If there are some problems:
  • Analyze
  • Fix
• Review each section of the app:
  • Behaviour
  • IU (possible problems derived of changes in @elastic/eui dependency

[Desvelao]

Researching

Overview

• Stating with Kibana 7.16.0, AngularJS was removed as a dependency of the platform and others packages related. The Wazuh app in the current state uses AngularJS. We could add the required packages as dependencies for the Wazuh app to solve this problem.

Kibana plugin

• securityOss plugin is not available, we should remove the dependency and the logic used with this plugin.

• The plugin manifest ( kibana.json) requires an owner property with at least a name property. See the manifest of another plugin.

"owner": {
  "name": "OwnerName"
}

App behavior and UI

• The Events tab of each module requires some adaptation because some files of the Kibana core are not available anymore. We should move the required logic to app files and adapt it to our use case.

• The implicit filters used by the app (has no a x button to remove it) are displaying the button. Wazuh app uses the filterManager offered by Kibana. The method to set or add filters to the filterManager in Kibana 7.16.x is using a function to replace some received filters. For our case, the filters added or set by the Wazuh app using a match query, and the Kibana logic is replacing them by match_phrase doing the logic to hide the buttons are not working as expected. See:

  

https://github.com/elastic/kibana/blob/v7.16.0/src/plugins/data/public/query/filter_manager/lib/map_and_flatten_filters.ts#L13-L19
https://github.com/elastic/kibana/blob/v7.16.0/packages/kbn-es-query/src/es_query/migrate_filter.ts#L35-L64

• There are some problems with the UI:

  • Health check: the check details are always displayed with a fixed height

    

  • Wazuh menu button is not replacing the plugin name set by Kibana
    

  • Wazuh breadcrumb has some problems
    

  • Icons in Settings > About
    

[Desvelao]

We found a problem in the app for production related to AngularJS that could not resolve the dependencies to inject.

This is because when building the app, the source code is minified that broke the implicit annotation of dependency injection. To solve this, we replaced it by:

• inline array annotation
• $inject propery annotation

This problem didn't appear in previous versions of Kibana (<7.16) because the process of transpilation and minification didn't change the name of dependencies and AngularJS was able to inject the required dependencies.

[Desvelao]

There are some issues related which appeared after adapting the app to 7.16:

• The chart legend are displayed vertically and with a double-colored line. #3755
• [FIX] [MODULES] [MITRE ATT&CK] [Intelligence] Wrap text in the Description column for the resources info table #3780
• Fixed Office365/Github module the side panel tab #3778
• [FIX] [Modules] Avoid the implicit filters can be removables #3777
• Fix add single agent to group #3776

Some of them could be happening in previous versions of Kibana, we should check it.

[iasdeoupxe]

Note the recently reported vulnerability for log4j (package used by Elasticsearch) was fixed in Kibana 7.16.1, so it is important to give support to this version and later.

This doesn't affect Kibana according to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#not-impacted-20:

We have validated that the vulnerability does not exist in the following Elastic products:

• ...
• Kibana

[sqall01]

Note the recently reported vulnerability for log4j (package used by Elasticsearch) was fixed in Kibana 7.16.1, so it is important to give support to this version and later.

This doesn't affect Kibana according to https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476#not-impacted-20:

We have validated that the vulnerability does not exist in the following Elastic products:

• ...
• Kibana

Yes it does not affect Kibana directly, but it affects Elasticsearch. And since the recommendation is to use the same version for Elasticsearch as for Kibana, an indirect dependency is there.

[iasdeoupxe]

Yes, but the quoted text had stated that the vulnerability was fixed in Kibana 7.16.1 but there was no such vulnerability in Kibana directly and i just wanted to correct that.

[Desvelao]

Thank you so much @iasdeoupxe and @sqall01! I modified the comment to clarify this.