Bem-vindo à Nova Experiência do Portal do Cliente Liferay!
Concluímos recentemente a migração para o novo Portal do Cliente e para a experiência de tickets de suporte. Explore a página inicial e o menu superior para acessar todas as ferramentas e recursos disponíveis. Por favor, observe:
Chamados em andamento: Os tickets que estavam em andamento antes da migração podem ser encontrados clicando em Meus Tickets na página inicial ou no menu Suporte.
Novos chamados de suporte: Para criar um novo chamado, clique em Abrir um Ticket na página inicial ou no menu Suporte.
Caso encontre qualquer dificuldade ao registrar chamados no novo sistema, entre em contato conosco via: support.liferay.com/callback-request

Security

Voltar para Security Alert

Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417

The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.

Vulnerability Information

Elasticsearch Insertion of sensitive information in audit logs (ESA-2023-12)

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured.

The _xpack/security APIs have been deprecated in Elasticsearch 7.x and were entirely removed in 8.0.0 and later. The only way for a client to use them in Elasticsearch 8.0.0 and later is to provide the Accept: application/json; compatible-with=7 header. Elasticsearch official clients do not use these deprecated APIs.

The list of affected, deprecated APIs, is the following

POST /_xpack/security/user/{username}
PUT /_xpack/security/user/{username}
PUT /_xpack/security/user/{username}/_password
POST /_xpack/security/user/{username}/_password
PUT /_xpack/security/user/_password
POST /_xpack/security/user/_password
POST /_xpack/security/oauth2/token
DELETE /_xpack/security/oauth2/token
POST /_xpack/security/saml/authenticate

Affected Versions:

Elasticsearch versions from 7.0.0 up to 7.17.12 and from 8.0.0 up to 8.9.1

Solutions and Mitigations:

The issue is resolved in version 7.17.13 and 8.9.2

CVSSv3.1: 4.1(Medium) AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2023-31417

Additional Information

Liferay DXP's out-of-the-box integration with Elasticsearch's X-Pack security features to provide encrypted and authenticated connection between the search engine and Liferay nodes are not using _xpack/security APIs to manage users or OAuth2 tokens.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Source

https://discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

On this page

Primeiros passos

Ajuda do Portal do Cliente

Liferay Learn

Artigos de instruções

Visão geral de segurança

Relatórios de segurança

Release Notes

Atualizações do Portal do Cliente

Downloads

Meus tickets

Abrir um ticket

Escalar um ticket

Cobertura de suporte

Serviços e Compatibilidade

Fale conosco

Eventos para clientes