The following issues may affect the functionality of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest compatibility change and required actions for Liferay Enterprise Search Subscribers.

Deployments which might be impacted

• Liferay DXP 7.0, 7.1 and 7.2 on Elastic Stack 6.x or 7.x

Vulnerability Information

(As provided by the vendor.)

Elasticsearch field disclosure flaw (ESA-2020-13)

A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Thanks to Robert Coe, CTO at AcuityMD for reporting this issue.

Affected Versions:
All versions of Elasticsearch before 7.9.2 and 6.8.13 are affected by this flaw

Solutions and Mitigations:
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.9.2 or 6.8.13. There is no known workaround for this flaw.

CVSSv3 - 3.1:AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVE ID: CVE-2020-7020

Additional Information

Liferay's Elasticsearch connectors and out-of-the-box features in Liferay DXP do not use Document or Field Level Security.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

Vendor References

• https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033

• https://www.elastic.co/guide/en/elasticsearch/reference/current/release-notes-7.9.3.html

• https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.13.html