Security
- [LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
- ClamAV HFS+ Aviso de seguridad: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Delayed: Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105)
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-1364
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23707
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23708, CVE-2022-23709, CVE-2022-23710
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23711
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38779
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38900
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-1370
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31418, CVE-2023-31419, CVE-2023-31422
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46671, CVE-2023-46673
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46675, CVE-2023-49921
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12539
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23446, CVE-2023-7024
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23449
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23450
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25012
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471
- Follow-Up Security Alert for LSV-412 and LSV-545
- Jenkins Security Advisory 2024-01-24: CVE-2024-23897
- Liferay Cloud Security Alert: June 2019
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 June
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2019 October
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2021 April
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Liferay’s Statement about CVE-2021-44228 (Log4j vulnerability)
- Liferay’s Statement about recent Log4j vulnerabilities
- Reminder: Follow-Up Security Alert for LSV-412 and LSV-545
- Spring4Shell and Spring Cloud Security Advisory
- TLS 1.0 Disabled for Inbound Traffic on Liferay Services and Websites
- Update: Log4j Security Advisory
ClamAV HFS+ Aviso de seguridad: CVE-2023-20032
Referencias:
- https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032
Severidad: Crítica
Resumen de la vulnerabilidad
Una vulnerabilidad en el analizador de archivos de partición HFS+ de ClamAV versiones 1.0.0 y anteriores, 0.105.1 y anteriores, y 0.103.7 y anteriores podría permitir que un atacante remoto, no autenticado, ejecute código arbitrario.
Se recomienda a los clientes de Liferay PaaS y a los clientes que utilizan Liferay DXP y Liferay Portal EE en sus instalaciones, que instalaron y utilizan ClamAV, que actualicen a la versión 1.0.1, 0.103.8 o 0.105.2. Los clientes que no usan ClamAV no se ven afectados.
Los clientes de Liferay SaaS están protegidos.
¿Cuál es la preocupación?
CVE-2023-20032 es una vulnerabilidad de ejecución remota de código que se activa cuando ClamAV escanea un archivo malicioso. Los productos Liferay no incluyen el software ClamAV y no son vulnerables en la instalación predeterminada.
Liferay DXP y Liferay Portal pueden ser vulnerables cuando ClamAV está configurado para escanear la Document Library o para escanear carpetas temporales (por ejemplo, carpetas /tmp o <<tomcat>>/temp).
Un atacante que explote la vulnerabilidad puede tener acceso a los archivos de Liferay DXP/Portal. Existe la posibilidad, dependiendo de los privilegios de usuario del sistema operativo ClamAV, de que el atacante escale el acceso para obtener el control total de la instalación de DXP/Portal.
¿Cómo puedo detectar si estoy afectado?
Los clientes de Liferay SaaS están protegidos.
Los clientes de Liferay PaaS deben consultar sus repositorios de GitHub, BitBucket o GitLab. También pueden usar Liferay Cloud Console Services para verificar la versión de imagen de Docker que están usando. Opcionalmente, pueden usar el acceso Shell para verificar la versión de ClamAV.
Los clientes locales pueden usar los comandos del sistema operativo para verificar la versión en ejecución de ClamAV:
clamscan --versionclamd --version
¿Cómo puedo mitigar mi exposición?
Para minimizar el impacto, los clientes pueden configurar ClamAV para que se ejecute en un servidor separado, como se describe en Habilitación del análisis antivirus para archivos cargados.
¿Cómo puedo actualizar ClamAV?
Los clientes de Liferay PaaS que utilizan la imagen ClamAV Docker deben obtener la última versión y construir e implementar como cualquier servicio LXC-SM estándar.
Los clientes que ejecutan ClamAV en sus servidores Linux deben usar los administradores de paquetes del sistema operativo o descargar e instalar el software directamente desde https://www.clamav.net/downloads.
¿Preguntas?
Por favor, póngase en contacto con Liferay Support o con su Customer Success Manager para obtener más información.