The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

Elasticsearch uncontrolled resource consumption (ESA-2023-13)

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.

The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild.

Affected Versions:

Elasticsearch versions up to 7.17.12 and from 8.0.0 up to 8.8.2

Elastic Cloud Enterprise up to versions 2.13.3 and 3.6.0, as these include Elasticsearch system clusters on affected versions.

Solutions and Mitigations:

Users should upgrade to Elasticsearch version 7.17.13 and 8.9.0 and higher.
Users should upgrade to Elastic Cloud Enterprise version 2.13.4 and 3.6.1

CVSSv3.1: 7.5 (High) AV:N/AC:L/PR:N/UI:N/

CVE ID: CVE-2023-31418

Elasticsearch StackOverflow vulnerability (ESA-2023-14)

A flaw was discovered in Elasticsearch server, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

Affected Versions:

Elasticsearch versions from 7.0.0 to 7.17.12 and from 8.0.0 to 8.9.0

Solutions and Mitigations:

The issue is resolved in Elasticsearch 7.17.13 and 8.9.1

CVSSv3: 6.5 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2023-31419

Kibana Insertion of Sensitive Information into Log File (ESA-2023-17)

On September 14, Engineers at Elastic discovered an issue whereby authentication credentials can be recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern.

On September 18, Elastic released Kibana 8.10.1, which resolves this issue. Customers running self-managed Kibana 8.10.0, including ECE or ECK deployments, should upgrade immediately to Kibana 8.10.1. Kibana instances of Elastic Cloud Customers on 8.10.0 have already been patched to resolve this issue.

The error object recorded in the log contains request information, which can include data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of data that can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.

Affected Versions:
Kibana version 8.10.0

Solutions and Mitigations:
The issue is resolved in Kibana 8.10.1. Version 8.10.0 has been removed from our download sites.

Elastic Cloud
Kibana instances of Elastic Cloud Customers on 8.10.0 have been patched to resolve this issue.

Note: If you had upgraded to 8.10.0 AND enabled Logging and Monitoring the potential exists that credential material may have been logged in your Logging and Monitoring deployment. We advise you to follow the guidance in ESA-2023-17 to check the Kibana logs for any ingested credentials and perform follow-up actions, such as purging data from logs and rotating any potentially exposed credentials.

Elastic has performed the following additional mitigations:

• We have deployed an ingest processor to redact the in-scope fields before they are logged in our monitoring environment.

• We purged the information that was potentially having authentication credentials included in logs from our monitoring environment before the ingest processor was deployed.

• We are automatically rotating kibana_system and kibana-metricbeat account credentials for all Kibana 8.10.0 deployments in Elastic Cloud

• We reviewed the accesses to our logging environment for the duration of this issue and did not identify any unauthorized activity.

Self-Managed
Users who are running Kibana 8.10.0 self-managed, including ECE or ECK deployments, should upgrade immediately to Kibana 8.10.1. Potentially affected logs should be reviewed for any authentication data and if deemed necessary, follow up actions such as purging data from logs and rotating any potentially exposed credentials should be performed.

Please see ESA-2023-17 for additional details and mitigation actions.

Kibana heap buffer overflow vulnerability (ESA-2023-19)

On Sept 11, 2023, Google Chrome announced CVE-2023-4863, described as “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page”. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release.

This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL).

This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.

This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).

Affected Versions:
Kibana versions from 7.0.0 to 7.17.14 and Kibana versions from 8.0.0 to 8.10.3

Solutions and Mitigations:
Users should upgrade to version 8.10.3 or 7.17.14.

If you are unable to upgrade, you can disable Kibana reporting functionality completely in the kibana.yml file with the following setting:
xpack.reporting.enabled: false

CVSSv3: 9.9 (Critical) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Additional Information

The Sidecar Elasticsearch server version included in Liferay 7.3 and 7.4 Tomcat Bundles and Docker images suitable for development and local testing purposes will be updated to the latest available 7.17.x version on LPS-195830. Note that while the bundled Elasticsearch servers are convenient for development and testing, neither are suitable for production, nor supported.

Search Engine Compatibility

As usual, Liferay recommends to its customers to upgrade their production Elastic stack to the latest available and compatible release of 7.x/8.x. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required update/patch levels.

Source

https://discuss.elastic.co/t/elasticsearch-8-9-1-7-17-13-security-update/343297

https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616

https://discuss.elastic.co/t/kibana-8-10-1-security-update/343287

https://discuss.elastic.co/t/kibana-8-10-3-7-17-14-security-update/344735

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.