Published: April 2, 2020

The following issue may affect the functionality of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest compatibility change and required actions for Liferay Enterprise Search Subscribers.

Deployments which might be impacted

• Liferay DXP 7.0, 7.1 and 7.2 on Elastic Stack 6.7 or 7.x or higher.

Vulnerability Information

(As provided by the vendor.)

Elasticsearch authentication API key privilege escalation (ESA-2020-02)

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

Affected Versions
All versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 are vulnerable to this issue.

Solutions and Mitigations
Users should upgrade to Elasticsearch version 7.6.2 or 6.8.8. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting xpack.security.authc.api_key.enabled to false in the elasticsearch.yml file.

CVE ID: CVE-2020-7009

Additional Mitigation Notes

Liferay's Enterprise Search connectors are not using API keys out-of-the-box.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor References

https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920

https://www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-7.6.2.html
https://www.elastic.co/guide/en/kibana/current/release-notes-7.6.2.html

https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.8.html
https://www.elastic.co/guide/en/kibana/6.8/release-notes-6.8.8.html

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.