Security

Search Bar
Back to Security Alert

Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)

The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

CVE Severity Vulnerability Summary Affected Product Affected Versions Solutions & Mitigations
CVE-2025-2135 CVSSv3.1: 9.9 (Critical) Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion Kibana Versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2 Upgrade to version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3. Learn more
CVE-2024-43706 CVSSv3.1: 7.6 (High) Kibana Improper Authorization Kibana Versions before and including 8.12.0. The issue is resolved in versions 8.12.1+. Learn more
CVE-2025-25012 CVSSv3.1: 4.3 (Medium)  Kibana Open Redirect Kibana Versions up to and including 7.17.28, 8.0.0 up to and including 8.17.7, 8.18.0 up to and including 8.18.2, and 9.0.0 up to and including 9.0.2  The issue is resolved in version 7.17.29, 8.17.8, or 8.18.3, or 9.0.3. Learn more

Additionally, Kibana versions 7.17.29, 8.18.3 and 9.0.3 ship with an updated version of Node.js (v20.19.2) which is marked as one of the fix versions that includes the fixes for the following Node.js vulnerabilities as per the Wednesday, May 14, 2025 Security Releases advisory: CVE-2025-23165, CVE-2025-23166, CVE-2025-2316. References:

Additional Information

General note on CVEs affecting Elasticsearch

The Elasticsearch 7 server runtime included in Liferay DXP Tomcat Bundles and Docker Images (aka. Sidecar Elasticsearch, located under [Liferay-Home]/elasticsearch-sidecar) is neither suitable nor supported for production. It is provided as a convenience for local development and testing only. Instead, configure Liferay to connect to Elasticsearch as a self-managed, standalone server or cluster of server nodes. 

The Sidecar Elasticsearch (including all of its bundled plugins and libraries) cannot be patched or updated through Liferay hotfixes. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic. Security scans can report false-positive vulnerabilities when analyzing the Liferay DXP Tomcat Bundles or Docker images because of the inclusion of the Sidecar Elasticsearch runtime. The -slim version of the Liferay DXP Docker images does not include the Sidecar Elasticsearch runtime. 

Vulnerabilities in Elasticsearch can only be addressed with new releases by Elastic. The compatible Elasticsearch versions and the Sidecar Elasticsearch version is updated periodically with newer Liferay DXP Quarterly Releases. Customers are advised to update their Elasticsearch installations to the latest compatible versions. 

General note on CVEs affecting Kibana

Liferay DXP and the Liferay Enterprise Search Monitoring application which integrates Kibana's UI as a proxy into Liferay DXP, do not include the binaries of the Kibana application itself. It is not possible to patch or update Kibana through the installation of Liferay hotfixes or upgrading to newer quarterly releases. In addition, Liferay does not have further information about the vulnerabilities and their exploit-ability beyond what's shared in the public security alerts issued by the vendor (Elastic).

Vulnerabilities in Kibana can only be addressed with new releases by Elastic. Customers are advised to update their Elasticsearch and Kibana installations to the latest compatible versions.

Search Engine Compatibility

Liferay recommends that customers upgrade their production Elastic Stack to the latest available and compatible version. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required quarterly release/update versions and patch levels.

  • Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

On this page