Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
Published: November 26, 2018
The following issue may compromise the security of your Liferay Enterprise Search environment. This notification provides a description of the latest security vulnerability and recommended actions for Liferay Enterprise Search Subscribers.
General Information
Elastic has recently identified that the Kibana reporting feature used to generate PDF reports unintentionally transmits user authentication credentials (i.e., Kibana username and password in reversible hashed format) in the HTTP headers used to request data from external resources whose data may be incorporated into the report.
Security Alert: CVE-2018-17245
Affected Version(s)
- Elastic Stack 6.1
Vulnerability Information
- This issue affects Kibana users on versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 of the Elastic Stack for both self-managed and hosted deployments. It affects users who have used Kibana’s PDF reporting feature to include data from external resources. It is not triggered by requests to generate CSV reports.
- The affected version compatible with Liferay DXP 7.0 or 7.1 is Elastic Stack 6.1.
Resolution
If you are an affected Kibana user (i.e., (i) you have used Kibana’s PDF reporting feature to include data from external resources) and (ii) you are on one of the affected versions described above then you should consider changing your credential as described in this Elastic blog post.
Search Engine Compatibility Matrix
Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.
Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.