The following issue may affect the functionality of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest compatibility change and required actions for Liferay Enterprise Search Subscribers.

Deployments which might be impacted

• Liferay DXP 7.0, 7.1 and 7.2 on Elastic Stack 6 or 7 using Kibana

Vulnerability Information

(As provided by the vendor.)

Kibana XSS (ESA-2019-17)

Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim’s browser.

Please note that Kibana has Content Security Policy (CSP) enabled by default since versions 6.7.0 and 7.0.0. Most browsers supported by Kibana honor the CSP settings. CSP prevents attackers from executing arbitrary JavaScript using this flaw, however an attacker can still inject arbitrary HTML into the page. The ‘csp.strict: true’ can be set in kibana.yml to disallow browsers that do not enforce CSP rules.

Affected Versions
Kibana versions before 7.5.1 and 6.8.6

Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.5.1 or 6.8.6. Users who are unable to upgrade can set xpack.maps.enabled: false, region_map.enabled: false, and tile_map.enabled: falsein kibana.yml to disable map visualizations.

CVSSv3: 7.3 - AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE ID: CVE-2019-7621

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor Reference

https://discuss.elastic.co/t/elastic-stack-6-8-6-and-7-5-1-security-update/212390

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.