Security

Barra de búsqueda
Volver a Security Alert

Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713

The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.

Deployments which might be impacted

  • Kibana versions 7.0.0 through 7.17.4

Vulnerability Information

Kibana cross-site-scripting (XSS) issue (ESA-2022-08)

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.
Affected Versions:

Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3

Solutions and Mitigations:

The issue is fixed in versions 8.3.0 and 7.17.5.

If you are unable to upgrade, you can select to disable Vega visualizations :

For on premise installations, you can set vis_type_vega.enabled: false (or vega.enabled: false for Kibana versions older than 7.7.0) in kibana.yml file.

CVSSv3:
6.4 (Medium) - AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE ID: CVE-2022-23713

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor References

https://discuss.elastic.co/t/elastic-8-3-1-8-3-0-and-7-17-5-security-update/308613

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

On this page