Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
7.1 DXP (7.1.10), 7.2 DXP (7.2.10)
-
3.7
-
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
-
20
-
9
Description
The Liferay Connector to Elasticsearch 6 and Liferay Connector to Elasticsearch 7 modules in Liferay DXP 7.0, 7.1 and 7.2 is bundled with Log4j 2.11.2†, which has known vulnerabilities. For more details, please see https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aapache%3alog4j%3a2.11.2%3a-
| DXP | Elasticsearch Connector | Affects Version | Fixed Version |
|---|---|---|---|
| DXP 7.0 | Portal Search Elasticsearch 2.x | Not Affected | N/A |
| DXP 7.0 | Connector to Elasticsearch 6 (Marketplace) | v1.1.0 and below | Future version* |
| DXP 7.1 | Connector to Elasticsearch 6 (bundled) | FP19 and below | SP5+/FP20+ |
| DXP 7.2 | Connector to Elasticsearch 6 (bundled) | FP7 and below | SP3+/FP8+ |
| DXP 7.2 | Connector to Elasticsearch 7 (Marketplace) | v3.0.1 and below | v3.1.0+ |
*: Subscribers can also request the fix to be provided in a Hotfix LPKG through Liferay Support.