Security
Voltar para Security Alert
- [LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
- Alerta de Segurança do Jenkins 2024-01-24: CVE-2024-23897
- ClamAV HFS+ Alerta de Segurança: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Delayed: Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105)
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-1364
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23707
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23708, CVE-2022-23709, CVE-2022-23710
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23711
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38779
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38900
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-1370
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31418, CVE-2023-31419, CVE-2023-31422
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46671, CVE-2023-46673
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46675, CVE-2023-49921
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12539
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23446, CVE-2023-7024
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23449
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23450
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25012
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471
- Follow-Up Security Alert for LSV-412 and LSV-545
- Liferay Cloud Security Alert: June 2019
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 June
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2019 October
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2021 April
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Liferay’s Statement about CVE-2021-44228 (Log4j vulnerability)
- Liferay’s Statement about recent Log4j vulnerabilities
- Reminder: Follow-Up Security Alert for LSV-412 and LSV-545
- Spring4Shell and Spring Cloud Security Advisory
- TLS 1.0 Disabled for Inbound Traffic on Liferay Services and Websites
- Update: Log4j Security Advisory
Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
The following issues may affect the functionality of your Liferay DXP, Liferay Enterprise Search environment and your Elastic Stack.
Deployments which might be impacted
- Elasticsearch 6.x before 6.8.17
- Elasticsearch 7.x before 7.13.3
Vulnerability Information
Elasticsearch Denial of Service issue (ESA-2021-15)
An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.
Affected Versions:
Elasticsearch versions prior to 7.13.3 and 6.8.17
Solutions and Mitigations:
Users should update their version of Elasticsearch to 7.13.3 or 6.8.17.
CVSSv3: 5.7 - AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2021-22144
CWE: CWE-674: Uncontrolled Recursion
Additional Information
Liferay DXP and Liferay Commerce products are not using Elasticsearch's Grok capabilities out-of-the-box.
Search Engine Compatibility Matrix
Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.
Vendor References
https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100
Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.
On this page