Published: February 19, 2019

The following issue may compromise the security of your Liferay DXP and Enterprise Search environment. This notification provides a description of the latest security vulnerability and recommended actions for Liferay Enterprise Search Subscribers.

Security Alert

Elastic Stack 6.6.1 and 5.6.15 security update

Affected Version(s)

• Elasticsearch Security versions before 5.6.15 and 6.6.1
• Kibana versions before 5.6.15 and 6.6.1
• Logstash versions before 6.6.1 and 5.6.15

Vulnerability Information

• CVE-2019-7608: Kibana XSS issue (ESA-2019-01)
• CVE-2019-7609: Kibana Timelion Remote Code Execution issue (ESA-2019-02)
• CVE-2019-7610: Kibana audit logging Remote Code Execution issue (ESA-2019-03)
• CVE-2019-7612: Logstash sensitive data disclosure issue (ESA-2019-05)
• CVE-2019-7611: Elasticsearch improper permission issue when attaching a new name to an index (ESA-2019-04)
  • Note: Liferay Elasticsearch 6 connector when using in Embedded mode operates with the recommended secure setting by default.

Mitigation

Please refer to the security vulnerability page. 

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.

---

Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.