新しいLiferayカスタマーポータルエクスペリエンスへようこそ！
新しいカスタマーポータルとサポートチケットエクスペリエンスへの移行が完了しました。ホームページとトップメニューを参照し、利用可能なすべてのツールとリソースをご確認ください。なお、以下の点にご注意ください。
進行中のリクエスト：移行前に進行中だったサポートチケットは、ホームページまたはサポートのドロップダウンメニューから［My Tickets（マイチケット）］をクリックすると確認できます。
新規のサポートリクエスト：新しいサポートリクエストを作成するには、ホームページまたはサポートドロップダウンメニューから［Submit a Ticket（チケットの送信）］をクリックしてください。
新システムでLiferayサポートに問題を報告する際に問題が発生した場合は、support.liferay.com/callback-requestまでご連絡ください。

Security

Security に戻る

Elastic Stack and Liferay Enterprise Search [LES] Security Advisories

General note on CVEs affecting Elasticsearch

The Elasticsearch 7 server runtime included in Liferay DXP Tomcat Bundles and Docker Images (aka. Sidecar Elasticsearch, located under [Liferay-Home]/elasticsearch-sidecar) is neither suitable nor supported for production. It is provided as a convenience for local development and testing only. Instead, configure Liferay to connect to Elasticsearch as a self-managed, standalone server or cluster of server nodes.

The Sidecar Elasticsearch (including all of its bundled plugins and libraries) cannot be patched or updated through Liferay hotfixes. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic. Security scans can report false-positive vulnerabilities when analyzing the Liferay DXP Tomcat Bundles or Docker images because of the inclusion of the Sidecar Elasticsearch runtime.

Additionally, since using Elasticsearch Sidecar in production is not supported, users can simply delete the elasticsearch-sidecar directory to remove these vulnerable modules from the bundle. Example commands for 2024.q3.13 release:

wget 'https://releases.liferay.com/dxp/2024.q3.13/liferay-dxp-tomcat-2024.q3.13-1734359202.zip'
unzip liferay-dxp-tomcat-2024.q3.13-1734359202.zip
rm -r ./liferay-dxp/elasticsearch-sidecar/

The -slim Liferay DXP Docker images do not include the Sidecar Elasticsearch runtime.

Vulnerabilities in Elasticsearch can only be addressed with new releases by Elastic. The compatible Elasticsearch versions and the Sidecar Elasticsearch version is updated periodically with newer Liferay DXP Quarterly Releases. Customers are advised to update their Elasticsearch installations to the latest compatible versions.

General note on CVEs affecting Kibana

Liferay DXP and the Liferay Enterprise Search Monitoring application which integrates Kibana's UI as a proxy into Liferay DXP, do not include the binaries of the Kibana application itself. It is not possible to patch or update Kibana through the installation of Liferay hotfixes or upgrading to newer quarterly releases. In addition, Liferay does not have further information about the vulnerabilities and their exploit-ability beyond what's shared in the public security alerts issued by the vendor (Elastic).

Vulnerabilities in Kibana can only be addressed with new releases by Elastic. Customers are advised to update their Elasticsearch and Kibana installations to the latest compatible versions.

Advisories

Vendor References

Here you can find past security updates affecting Elasticsearch or Kibana provided by the vendor.

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

はじめに

カスタマーポータルのヘルプ

Liferay Learn

ナレッジベース

セキュリティの概要

セキュリティレポート

Release Notes

カスタマーポータルのアップデート

ダウンロード

マイチケット

チケットを作成する

チケットのエスカレーション

サポート範囲

サービスと互換性

お問い合わせ

カスタマーイベント