From c2fe630d20bc40bc1bf906a7cf19e488231b2536 Mon Sep 17 00:00:00 2001
From: Brandon Morelli <brandon.morelli@elastic.co>
Date: Tue, 10 Oct 2023 06:31:40 -0700
Subject: [PATCH] Add security update to 8.10.3 (#168468)

(cherry picked from commit 348563b52f8ed037f02db0860594c179ec938659)
---
 docs/CHANGELOG.asciidoc | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/docs/CHANGELOG.asciidoc b/docs/CHANGELOG.asciidoc
index aaceec07701cb..e6e426e7a8623 100644
--- a/docs/CHANGELOG.asciidoc
+++ b/docs/CHANGELOG.asciidoc
@@ -54,7 +54,19 @@ Review important information about the {kib} 8.x releases.
 [[release-notes-8.10.3]]
 == {kib} 8.10.3
 
-The 8.10.3 release includes the following bug fixes.
+[float]
+[[security-update-8.10.3]]
+=== Security updates
+
+* **Kibana heap buffer overflow vulnerability**
++
+On Sept 11, 2023, Google Chrome announced CVE-2023-4863, described as “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page”. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release.
++
+The issue is resolved in 8.10.3.
++
+For more information, see our related
+https://discuss.elastic.co/t/kibana-8-10-3-7-17-14-security-update/344735[security
+announcement].
 
 [float]
 [[enhancement-v8.10.3]]