The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

Kibana Broken Access Control issue (CVE-2024-23446, ESA-2024-01)

Refer to https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 for details and mitigation.

Kibana heap buffer overflow vulnerability (CVE-2023-7024, ESA-2024-04)

Refer to https://discuss.elastic.co/t/kibana-8-12-1-7-17-18-security-update-esa-2024-04/352805 for details and mitigation.

Additional Information

Regarding CVE-2024-23446: Liferay's out-of-the-box features are not using Elastic Security's Detection Engine Search API affected by this vulnerability.

Search Engine Compatibility

As usual, Liferay recommends to its customers to upgrade their production Elastic stack to the latest available and compatible release of 7.x/8.x. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required update/patch levels.

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.