Elasticsearch and Liferay Enterprise Search Security Advisory: CVE-2018-3831

CVE-2018-3831 reports that, "Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details."

Elastic confirmed these vulnerabilities in the following security announcement: Elastic Stack 6.4.1 and 5.6.12 security update.

Resolution

Liferay products integrated with Elasticsearch (Liferay Connector to Elasticsearch 6, Liferay Enterprise Search Monitoring and Liferay Enterprise Search Security) use the Java Transport Client to communicate with the Elasticsearch server. That being the case, there are no components in the product making calls to the REST API (_cluster/settings), therefore, the vulnerability can not be exploited through Liferay DXP. 

Additional Information

Considering that Liferay Connector to Elasticsearch 6 and the Liferay Enterprise Search connectors (version 2.0) are currently supported to work with Elasticsearch version 6.1.x, Liferay Support is testing if the current integration is compatible with newer Elasticsearch versions as well (see LPS-86392).

Once our testing is complete, this article will be updated to inform customers about additional mitigation options.

Search Engine Compatibility Matrix

Reference the information here for the detailed Elasticsearch compatibility including the compatible connector versions and required patch levels.


Elastic, Elasticsearch, and X-Pack are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.

Was this article helpful?
0 out of 0 found this helpful