Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
The following issues may affect your Liferay-Elastic stack.
Vulnerability Information
| CVE | Severity |
Vulnerability Summary | Affected Product | Affected Versions | Solutions & Mitigations |
| CVE-2024-37288 | CVSSv3.1: 9.9 (Critical) | Kibana arbitrary code execution via YAML deserialization in Amazon Bedrock Connector | Kibana | 8.15.0 | Learn more. |
| CVE-2024-37285 | CVSS v3.1: 9.1 (Critical) | Kibana arbitrary code execution via YAML deserialization | Kibana | 8.10.0 to 8.15.0 |
Additional Information
General note on CVEs affecting Kibana: Liferay DXP and the Liferay Enterprise Search Monitoring application which integrates Kibana's UI as a proxy into Liferay DXP, do not include the binaries of the Kibana application itself. It is not possible to patch or update Kibana through the installation of Liferay hotfixes or upgrading to newer quarterly releases. In addition, Liferay does not have further information about the vulnerabilities and their exploit-ability beyond what's shared in the public security alerts issued by the vendor (Elastic).
Search Engine Compatibility
As usual, Liferay recommends to its customers to upgrade their production Elastic stack to the latest available and compatible version. Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required quarterly release/update and patch levels.
- Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.