The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.

Vulnerability Information

Elasticsearch Denial of Service (DoS) issue (ESA-2023-10)

This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured.

A denial of service vulnerability was discovered in Elasticsearch that could lead to the service becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart 41 which parses nested arrays in an unsafe way.

Affected Versions:

Elasticsearch Versions after 7.2.0 and before 7.17.11, and versions after 8.0.0 and before 8.8.2

Solutions and Mitigations:

The issue has been resolved in versions 8.8.2 and 7.17.11

CVSSv3: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID: CVE-2023-1370

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Source

https://discuss.elastic.co/t/elasticsearch-8-8-2-7-17-11-security-update/337205

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.