Security
Back to Security
- Elastic Stack and Liferay Enterprise Search [LES] Security Advisories
-
Security Alert
- [LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
- ClamAV HFS+ Security Advisory: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Delayed: Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105)
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-1364
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23707
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23708, CVE-2022-23709, CVE-2022-23710
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23711
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38779
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38900
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-1370
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31418, CVE-2023-31419, CVE-2023-31422
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46671, CVE-2023-46673
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46675, CVE-2023-49921
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12539
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23446, CVE-2023-7024
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23449
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23450
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25012
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-54988 and Elastic's Response to ‘EDR 0-Day Vulnerability’
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471
- Follow-Up Security Alert for LSV-412 and LSV-545
- Jenkins Security Advisory 2024-01-24: CVE-2024-23897
- Liferay Cloud Security Alert: June 2019
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 June
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2019 October
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2021 April
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Liferay’s Statement about CVE-2021-44228 (Log4j vulnerability)
- Liferay’s Statement about recent Log4j vulnerabilities
- Reminder: Follow-Up Security Alert for LSV-412 and LSV-545
- Spring4Shell and Spring Cloud Security Advisory
- TLS 1.0 Disabled for Inbound Traffic on Liferay Services and Websites
- Update: Log4j Security Advisory
- Security Overview
Elastic Stack and Liferay Enterprise Search [LES] Security Advisories
General note on CVEs affecting Elasticsearch
The Elasticsearch 7 server runtime included in Liferay DXP Tomcat Bundles and Docker Images (aka. Sidecar Elasticsearch, located under [Liferay-Home]/elasticsearch-sidecar) is neither suitable nor supported for production. It is provided as a convenience for local development and testing only. Instead, configure Liferay to connect to Elasticsearch as a self-managed, standalone server or cluster of server nodes.
The Sidecar Elasticsearch (including all of its bundled plugins and libraries) cannot be patched or updated through Liferay hotfixes. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic. Security scans can report false-positive vulnerabilities when analyzing the Liferay DXP Tomcat Bundles or Docker images because of the inclusion of the Sidecar Elasticsearch runtime.
Additionally, since using Elasticsearch Sidecar in production is not supported, users can simply delete the elasticsearch-sidecar directory to remove these vulnerable modules from the bundle. Example commands for 2024.q3.13 release:
wget 'https://releases.liferay.com/dxp/2024.q3.13/liferay-dxp-tomcat-2024.q3.13-1734359202.zip'
unzip liferay-dxp-tomcat-2024.q3.13-1734359202.zip
rm -r ./liferay-dxp/elasticsearch-sidecar/
The -slim Liferay DXP Docker images do not include the Sidecar Elasticsearch runtime.
Vulnerabilities in Elasticsearch can only be addressed with new releases by Elastic. The compatible Elasticsearch versions and the Sidecar Elasticsearch version is updated periodically with newer Liferay DXP Quarterly Releases. Customers are advised to update their Elasticsearch installations to the latest compatible versions.
General note on CVEs affecting Kibana
Liferay DXP and the Liferay Enterprise Search Monitoring application which integrates Kibana's UI as a proxy into Liferay DXP, do not include the binaries of the Kibana application itself. It is not possible to patch or update Kibana through the installation of Liferay hotfixes or upgrading to newer quarterly releases. In addition, Liferay does not have further information about the vulnerabilities and their exploit-ability beyond what's shared in the public security alerts issued by the vendor (Elastic).
Vulnerabilities in Kibana can only be addressed with new releases by Elastic. Customers are advised to update their Elasticsearch and Kibana installations to the latest compatible versions.
Advisories
- CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727 (November 13, 2025)
- CVE-2025-54988 and Elastic's Response to ‘EDR 0-Day Vulnerability’ (September 15, 2025)
- CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (June 25, 2025)
- CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016 (May 12, 2025)
- CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981 (April 17, 2025)
- CVE-2024-23450 (March 11, 2025)
- CVE-2025-25012 (March 5, 2025)
- CVE-2024-12539 (February 27, 2025)
- CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708 (January 30, 2025)
- CVE-2024-37285, CVE-2024-37288 (October 8, 2024)
- CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444 (August 14, 2024)
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1 (April 24, 2024)
- CVE-2024-23449 (April 2, 2024)
- CVE-2024-23446, CVE-2023-7024 (Feb 8, 2024)
- CVE-2023-46675, CVE-2023-49921 (Jan 29, 2024)
- CVE-2023-46671, CVE-2023-46673 (Dec 12, 2023)
- CVE-2023-31418, CVE-2023-31419, CVE-2023-31422 (Oct 12, 2023)
- CVE-2023-31419 (Sept 20, 2023)
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471 (Sept 14, 2023)
- CVE-2023-31417 (Sept 14, 2023)
- CVE-2023-1370 (July 25, 2023)
- CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487 (May 18, 2023)
- CVE-2022-38779 (Feb 17, 2023)
- CVE-2022-38900 (Feb 3, 2023)
- CVE-2022-1364 (Dec 12, 2022)
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7 (November 3, 2022)
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169 (August 26, 2022)
- CVE-2022-23713 (July 8, 2022)
- CVE-2022-23711 (April 20, 2022)
- CVE-2022-23708, CVE-2022-23709, CVE-2022-23710 (March 1, 2022)
- CVE-2022-23707 (Feb 23, 2022)
- Elastic Stack and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228)
- Elastic Stack and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elastic Stack and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: March 9, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elastic Stack and Liferay Enterprise Search Security Advisory: October 25, 2019
- Elastic Stack and Liferay Enterprise Search Security Advisory: June 24, 2019
- Elastic Stack and Liferay Enterprise Search Security Advisory: February 19, 2019
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2018-3831
- Elastic Stack and Liferay Enterprise Search Security Advisory: November 26, 2018
Vendor References
Here you can find past security updates affecting Elasticsearch or Kibana provided by the vendor.
Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.
On this page