Published: October 25, 2019

The following issue may affect the functionality of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest compatibility change and required actions for Liferay Enterprise Search Subscribers.

Deployments which might be impacted

• Liferay DXP 7.0, 7.1 and 7.2 on Elastic Stack 6.7 or higher using X-Pack.

Vulnerability Information

(As provided by the vendor.)

Elasticsearch username disclosure flaw (ESA-2019-13)

A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

Affected Versions

The following Elasticsearch versions are affected by this flaw: 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3

Solutions and Mitigations

Users should upgrade to Elasticsearch version 7.4.0 or 6.8.4. If users cannot upgrade, the API key service can be disabled by setting xpack.security.authc.api_key.enabled to false in the Elasticsearch configuration file.

CVSSv3: 3.7 - AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2019-7619

Additional Mitigation Notes

Liferay's Enterprise Search connectors are not using API keys out-of-the-box.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor Reference

https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.