Security
- [LES] Elastic's Response to Log4j Exploit (CVE-2021-44228)
- Alerta de Segurança do Jenkins 2024-01-24: CVE-2024-23897
- ClamAV HFS+ Alerta de Segurança: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Delayed: Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Disabling TLS 1.0 for Inbound Traffic on Liferay Services and Websites
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 2, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 28, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: April 7, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Dec 11, 2021 (Log4j2, CVE-2021-44228, CVE-2021-45046,CVE-2021-45105)
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 15, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: January 16, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: July 23, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: June 4, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: March 9, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: Nov 12, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 2019
- Elasticsearch and Liferay Enterprise Search Security Advisory: October 22, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: Sept 2, 2021
- Elasticsearch and Liferay Enterprise Search Security Advisory: September 2, 2020
- Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-1364
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23707
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23708, CVE-2022-23709, CVE-2022-23710
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23711
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-23713
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38779
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2022-38900
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-1370
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31414, CVE-2023-31415, CVE-2023-26486, CVE-2023-26487
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31417
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-31418, CVE-2023-31419, CVE-2023-31422
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46671, CVE-2023-46673
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2023-46675, CVE-2023-49921
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12539
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-12556, CVE-2024-52974, CVE-2024-52980, CVE-2024-52981
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23445, CVE-2024-37279, CVE-2024-37280, CVE-2024-23442, CVE-2024-23443, CVE-2024-2887, CVE-2024-37281, CVE-2024-37287, CVE-2024-23444
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23446, CVE-2023-7024
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23449
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-23450
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-37285, CVE-2024-37288
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43706, CVE-2025-2135, CVE-2025-25012 (Kibana)
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2024-43709, CVE-2024-52973, CVE-2024-43710, CVE-2024-43707, CVE-2024-52972, CVE-2024-43708
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25012
- Elastic Stack and Liferay Enterprise Search Security Advisory: CVE-2025-25014, CVE-2024-52979, CVE-2024-11390, CVE-2025-25016
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for OpenSSL CVE-2022-3786 and CVE-2022-3602, OpenSSL version 3.0.7
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169
- Elastic Stack and Liferay Enterprise Search Security Advisory: Security Statement regarding CVE-2022-1471
- Follow-Up Security Alert for LSV-412 and LSV-545
- Liferay Cloud Security Alert: June 2019
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 June
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2019 October
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2021 April
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Liferay’s Statement about CVE-2021-44228 (Log4j vulnerability)
- Liferay’s Statement about recent Log4j vulnerabilities
- Reminder: Follow-Up Security Alert for LSV-412 and LSV-545
- Spring4Shell and Spring Cloud Security Advisory
- TLS 1.0 Disabled for Inbound Traffic on Liferay Services and Websites
- Update: Log4j Security Advisory
ClamAV HFS+ Alerta de Segurança: CVE-2023-20032
Referências:
- https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032
Severidade: Crítica
Resumo da Vulnerabilidade
Uma vulnerabilidade no analisador de arquivos da partição HFS+ das versões 1.0.0 e anteriores, 0.105.1 e anteriores e 0.103.7 e anteriores do ClamAV pode permitir que um invasor remoto não autenticado execute códigos arbitrários.
Clientes Liferay PaaS, clientes que usam Liferay DXP e Liferay Portal EE em suas instalações, que instalaram e usam ClamAV devem atualizar para a versão 1.0.1, 0.103.8 ou 0.105.2. Os clientes que não usam o ClamAV não são afetados.
Clientes Liferay SaaS estão protegidos.
Qual é a preocupação?
CVE-2023-20032 é uma vulnerabilidade de Execução Remota de Código acionada quando o ClamAV escaneia um arquivo malicioso. Os produtos da Liferay não são fornecidos com o software ClamAV e não são vulneráveis na configuração padrão de instalação.
Liferay DXP e Liferay Portal podem ser vulneráveis quando o ClamAV está configurado para escanear a biblioteca de documentos do Liferay DXP/Portal ou para escanear pastas temporárias (como por exemplo: /tmp ou <<tomcat>>/temp folders).
Um invasor que se aproveite da vulnerabilidade pode ter acesso aos arquivos do Liferay DXP/Portal. Dependendo dos privilégios de usuário do sistema operacional do ClamAV, existe a possibilidade do invasor escalar o acesso para obter controle total da instalação do DXP/Portal.
Como posso saber se sou impactado?
Clientes Liferay SaaS estão protegidos.
Clientes Liferay PaaS devem checar seus repositórios no GitHub, BitBucket ou GitLab. Eles também podem usar os Serviços Liferay Cloud Console para verificar a versão da imagem do Docker que eles estão usando. Opcionalmente, eles também podem usar o acesso Shell para verificar a versão do ClamAV.
Clientes On-premise podem usar os comandos do OS para verificar a versão do ClamAV que está em execução:
clamscan --versionclamd --version
Como posso reduzir a minha exposição?
Para minimizar os impactos, os clientes podem configurar o ClamAV para rodar em um servidor separado, como descrito em Ativando a verificação antivírus para arquivos carregados.
Como posso atualizar o ClamAV?
Clientes Liferay PaaS que estão usando o ClamAV Docker image devem buscar a versão mais atual e fazer o build e implementar como qualquer serviço Liferay PaaS padrão..
Clientes que estão executando o ClamAV em seus servidores Linux devem usar os gerenciadores de pacotes do OS ou baixar e instalar o software diretamente de https://www.clamav.net/downloads.
Dúvidas?
Por favor, entre em contato com o Suporte Liferay ou com o seu gerente de Customer Success para obter informações adicionais.