Vulnerability Summary

On Mar 31, 2022, critical vulnerabilities CVE-2022-22963 and CVE-2022-22965 were published in the Spring Framework versions 5.3.17 and older. Spring is a project that develops and maintains libraries that are often used by Java-based applications.

What is the concern?

The vulnerabilities outlined above can be used via HTTP request to trigger remote code execution. Liferay recommends all customers take immediate steps to address the issues.

How is Liferay impacted?

While Liferay DXP and Liferay Portal contain the above-mentioned libraries there is no known way to exploit the vulnerabilities. Customers who are working with Liferay and have not deployed customizations will have no known ways to be affected by the exploit. However, customers who have written customizations that use the Spring MVC, Spring Webflux or Spring Cloud frameworks should review their code to ensure they are not exposed.

Below is a table outlining the affected versions of Liferay DXP and Portal as well as available patches for remediation:

Liferay Affected Version	Spring Web MVC Framework Affected Version	Liferay Patched Version
DXP 7.4	5.2.10	5.2.20 (Scheduled for U19)
DXP 7.3	5.2.10	5.2.20
DXP 7.0, 7.1, 7.2	4.3.30	4.3.30.LIFERAY-PATCHED-1
Portal 6.1, 6.2	3.0.7	3.0.7.LIFERAY.PATCHED-1

How can I check and mitigate my exposure?

For Liferay installations that include custom code, please refer to the following announcements:

• CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
• CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
• Spring Organizational Announcement (including temporary work around)

Liferay recommends any customer with custom plugins or in-flight extensions that leverage the Spring frameworks in question, to review the versions currently in use and, if necessary, upgrade their Spring libraries to patched versions.

Will there be a formal fix for this issue?

Spring has released Spring Framework versions 5.3.18 and 5.2.20 which addresses this vulnerability. Any plugins that are deemed to be exposed should be updated to use the patched versions of the aforementioned Spring libraries.

Emergency hotfixes of the patched or updated Spring Web MVC libraries are available now upon request. You can request a hotfix by submitting a support ticket HERE. 

For unreleased versions of Liferay DXP or Liferay Portal which are in active service life, Liferay has patched or updated the Spring Web MVC library to be released in a future fix pack/update.

What if I am a DXP Cloud customer?

Customers on Liferay DXP Cloud are recommended to apply the steps above to mitigate vulnerabilities on affected versions.

Questions?

Please contact Liferay Support or your Customer Success Manager for additional information.