Security

検索バー
Security Alert に戻る

Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708

The following issues may affect your Liferay-Elastic stack.

Vulnerability Information

CVE Severity
 Vulnerability Summary Affected Product Affected Versions Solutions & Mitigations
CVE-2024-43709 CVSSv3.1: 6.5 Elasticsearch allocation of resources without limits or throttling leads to crash Elasticsearch Versions up to 7.17.21 and versions up to 8.13.3 The issue is resolved in version 7.17.21 and 8.13.3.
CVE-2024-52973 CVSSv3.1: 6.5 Kibana allocation of resources without limits or throttling leads to crash

Kibana

 Versions up to 7.17.23 and up to 8.14.2 The issue is resolved in version 7.17.23 and 8.14.2.
CVE-2024-43710 CVSSv3.1: 4.3 Kibana allocation of resources without limits or throttling leads to crash Versions up to 7.17.21 and versions up to 8.13.3 These issues are resolved in version 8.15.0
CVE-2024-43707 CVSSv3.1: 7.7 Kibana exposure of sensitive information to an unauthorized actor Kibana versions from 8.0.0 up to 8.15.0
CVE-2024-43708 CVSSv3.1: 6.5 Kibana allocation of resources without limits or throttling leads to crash Kibana versions up to 7.17.23 and 8.15.0 These issues are resolved in versions 7.17.23 and 8.15.0
CVE-2024-52972 CVSSv3.1: 6.5 Kibana allocation of resources without limits or throttling leads to crash Kibana versions up to 7.17.23 and 8.15.0

 

Additional Information

General note on CVEs affecting Elasticsearch: the Elasticsearch server runtime included with Liferay DXP Tomcat Bundles and Docker Images (aka. Sidecar Elasticsearch located under [Liferay-Home]/elasticsearch-sidecar) is neither suitable nor supported for production. It is convenient for local development and testing only. Instead, configure Liferay to connect to Elasticsearch as a self-managed, standalone server or cluster of server nodes.

The Sidecar Elasticsearch (including all of its bundled plugins and libraries) cannot be patched or updated through Liferay hotfixes. Liferay does not possess additional vulnerability and exploitability information beyond that provided in public security alerts by Elastic. The Sidecar Elasticsearch version is updated periodically with newer Liferay DXP Quarterly Releases.

General note on CVEs affecting Kibana: Liferay DXP and the Liferay Enterprise Search Monitoring application which integrates Kibana's UI as a proxy into Liferay DXP, do not include the binaries of the Kibana application itself. It is not possible to patch or update Kibana through the installation of Liferay hotfixes or upgrading to newer quarterly releases. In addition, Liferay does not have further information about the vulnerabilities and their exploit-ability beyond what's shared in the public security alerts issued by the vendor (Elastic).

Search Engine Compatibility

Liferay recommends that customers upgrade their production Elastic Stack to the latest available and compatible version. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required quarterly release/update versions and patch levels.

  • Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

On this page