Published: June 4, 2020

The following issues may affect the functionality of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest compatibility change and required actions for Liferay Enterprise Search Subscribers.

Deployments which might be impacted

• Liferay DXP 7.0, 7.1 and 7.2 on Elastic Stack 6.7 or 7.x or higher.

Vulnerability Information

(As provided by the vendor.)

Kibana upgrade assistant prototype pollution flaw (ESA-2020-05)

Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Affected Versions
All versions of Kibana from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2

Solutions and Mitigations
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable the Upgrade Assistant using the instructions below.

Upgrade Assistant can be disabled by setting the following options in Kibana:

Kibana versions 6.7.0 and 6.7.1 can set ‘upgrade_assistant.enabled: false’ in the kibana.yml file

Kibana versions starting with 6.7.2 can set ‘xpack.upgrade_assistant.enabled: false’ in the kibana.yml file

This flaw is mitigated by default in all Elastic Cloud Kibana versions.

CVSSv3: 6.6 - AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7012

Kibana TSVB prototype pollution flaw (ESA-2020-06)

Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB . An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.

Affected Versions
All versions of Kibana before 7.7.0 and 6.8.9

Solutions and Mitigations
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable TSVB by setting "metrics.enabled: false" in the kibana.yml file.

This flaw is mitigated by default in all Elastic Cloud Kibana versions.

CVSSv3: 6.6 - AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7013

Elasticsearch authentication API key privilege escalation (ESA-2020-07)

The fix for ESA-2020-02 (CVE-2020-7009) was found to be incomplete.

Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

Affected Versions
All versions from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 are vulnerable to this issue.

Solutions and Mitigations
Users should upgrade to Elasticsearch version 7.7.0 or 6.8.9. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.

CVSSv3: 6.4 - AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE ID: CVE-2020-7014

Additional Mitigation Notes

Liferay's Elasticsearch and Enterprise Search connectors are not using API keys out-of-the-box.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor References

• https://discuss.elastic.co/t/elastic-stack-6-8-9-and-7-7-0-security-update/235571/1
• https://discuss.elastic.co/t/elastic-stack-7-7-1-and-6-8-10-security-update/235573/1
• https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.10.html
• https://www.elastic.co/guide/en/elasticsearch/reference/7.7/release-notes-7.7.1.html

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.