The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

Kibana Insertion of Sensitive Information into Log File (ESA-2023-25, CVE-2023-46671)

Refer to https://discuss.elastic.co/t/kibana-8-11-1-security-update-esa-2023-25/347149 for details and mitigation.

Elasticsearch Improper Handling of Exceptional Conditions (ESA-2023-24, CVE-2023-46673)

Refer to https://discuss.elastic.co/t/elasticsearch-7-17-14-8-10-3-security-update-esa-2023-24/347708 for details and mitigation.

Additional Information

Regarding CVE-2023-46673: Liferay's out-of-the-box features are not using the Simulate Pipeline API affected by this vulnerability.

Search Engine Compatibility

As usual, Liferay recommends to its customers to upgrade their production Elastic stack to the latest available and compatible release of 7.x/8.x. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required update/patch levels.

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.