The following issues may affect your Liferay-Elastic stack.

CVE	Severity	Vulnerability Summary	Affected Product	Affected Versions	Solutions & Mitigations
CVE-2024-12539	CVSSv4.0: 6 (Medium)	Elasticsearch Incorrect Authorization	Elasticsearch	Versions 8.16.0 and 8.16.1	The issue is resolved in version 8.16.2 and 8.17.0

 

Additional Information

Liferay DXP is not making use of Document Level Security features of Elasticsearch affected by this vulnerability.

General note on CVEs affecting Elasticsearch: the Elasticsearch server runtime included with Liferay DXP Tomcat Bundles and Docker Images (aka. Sidecar Elasticsearch located under [Liferay-Home]/elasticsearch-sidecar) is neither suitable nor supported for production. It is convenient for local development and testing only. Instead, configure Liferay to connect to Elasticsearch as a self-managed, standalone server or cluster of server nodes.

The Sidecar Elasticsearch (including all of its bundled plugins and libraries) cannot be patched or updated through Liferay hotfixes. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic. The Sidecar Elasticsearch version is updated periodically with newer Liferay DXP Quarterly Releases.

Search Engine Compatibility

Liferay recommends that customers upgrade their production Elastic Stack to the latest available and compatible version. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required quarterly release/update versions and patch levels.

---

• Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.