Elasticsearch memory disclosure issue (ESA-2021-16)

The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.

Deployments which might be impacted

• Elastic Stack 7.x using Kibana before 7.12.1

Vulnerability Information

Kibana denial of service issue (ESA-2021-10)

A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.

Thank you to Dominic Couture for this finding.

Affected Versions:

All versions of Kibana prior to 7.12.1

Solutions and Mitigations:

Customers should upgrade to version 7.12.1 or above

A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Affected Versions:

Elasticsearch versions 7.10.0 to 7.13.3

Solutions and Mitigations:

Affected users should update their version of Elasticsearch to 7.13.4. There is no known workaround for this issue.

CVSSv3: 8.0 - AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID: CVE-2021-22145

Additional Information

When updating Kibana to 7.11+, the following known issue may impact your Liferay Enterprise Search Monitoring - Kibana integration. Please refer to this article for details.