The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.

Deployments which might be impacted

• Elastic Stack 7.x using Kibana before 7.12.1

Vulnerability Information

Kibana denial of service issue (ESA-2021-10)

A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.

Thank you to Dominic Couture for this finding.

Affected Versions:

All versions of Kibana prior to 7.12.1

Solutions and Mitigations:

Customers should upgrade to version 7.12.1 or above

CVSSv3: 4.9 - AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2021-22139

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor References

https://discuss.elastic.co/t/7-12-1-security-update/271433

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.