Elasticsearch privilege escalation issue (ESA-2022-02)

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
Affected Versions:

Versions 7.16.0 through 7.17.0.
Solutions and Mitigations:

Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.
CVSSv3:

6.8 (Medium) - AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE ID:

CVE-2022-23708

Kibana missing authorization issue (ESA-2022-03)

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
Affected Versions:

Versions 7.7.0 through 7.17.0, and 8.0.0.
Solutions and Mitigations:

The issue is fixed in 7.17.1, 8.01, and 8.1.0.

As mitigation, users on affected versions can avoid granting users Read access to the Uptime feature if they should not be able to otherwise create/modify alerts, and avoid using the built-in Viewer role.
CVSSv3:

4.3 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID:

CVE-2022-23709

Kibana cross-site-scripting (XSS) issue (ESA-2022-04)

A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.
Affected Versions:

For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2
For Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0.
Solutions and Mitigations:

This is fixed in 7.17.1, 8.0.1, and 8.1.0.

As mitigation, users on affected versions can avoid granting users All access to the Index Pattern Management and Saved Object Management features if they should not be able to otherwise create/modify index patterns. Note: index patterns are called data views starting in 8.0.
CVSSv3:

5.4 (Medium) - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CVE ID:

CVE-2022-23710

Additional Information

Liferay DXP's Sidecar Elasticsearch server (suitable for local development and testing purposes only!) is not affected because existing Sidecar installations are never upgraded directly (in the sense of Elasticsearch Upgrade): instead, there is always a fresh, new distribution extracted into [Liferay Home]/elasticsearch-sidecar (DXP 7.4) or [Liferay Home]/elasticsearch7 (DXP 7.3) each time we upgrade the Sidecar Elasticsearch server version (for example from 7.14.1 to 7.17.0) or when Liferay DXP is configured to use the Sidecar mode and the runtime folder is not present. In addition to it, the Sidecar Elasticsearch servers are configured programmatically to operate with X-Pack Security features disabled, therefore there cannot be security indexes created.