Bem-vindo à Nova Experiência do Portal do Cliente Liferay!
Concluímos recentemente a migração para o novo Portal do Cliente e para a experiência de tickets de suporte. Explore a página inicial e o menu superior para acessar todas as ferramentas e recursos disponíveis. Por favor, observe:
Chamados em andamento: Os tickets que estavam em andamento antes da migração podem ser encontrados clicando em Meus Tickets na página inicial ou no menu Suporte.
Novos chamados de suporte: Para criar um novo chamado, clique em Abrir um Ticket na página inicial ou no menu Suporte.
Caso encontre qualquer dificuldade ao registrar chamados no novo sistema, entre em contato conosco via: support.liferay.com/callback-request

Security

Voltar para Security Alert

Spring4Shell and Spring Cloud Security Advisory

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Vulnerability Summary

On Mar 31, 2022, critical vulnerabilities CVE-2022-22963 and CVE-2022-22965 were published in the Spring Framework versions 5.3.17 and older. Spring is a project that develops and maintains libraries that are often used by Java-based applications.

What is the concern?

The vulnerabilities outlined above can be used via HTTP request to trigger remote code execution. Liferay recommends all customers take immediate steps to address the issues.

How is Liferay impacted?

While Liferay DXP and Liferay Portal contain the above-mentioned libraries there is no known way to exploit the vulnerabilities. Customers who are working with Liferay and have not deployed customizations will have no known ways to be affected by the exploit. However, customers who have written customizations that use the Spring MVC, Spring Webflux or Spring Cloud frameworks should review their code to ensure they are not exposed.

Below is a table outlining the affected versions of Liferay DXP and Portal as well as available patches for remediation:

Liferay Affected Version	Spring Web MVC Framework Affected Version	Liferay Patched Version
DXP 7.4	5.2.10	5.2.20 (Scheduled for U19)
DXP 7.3	5.2.10	5.2.20
DXP 7.0, 7.1, 7.2	4.3.30	4.3.30.LIFERAY-PATCHED-1
Portal 6.1, 6.2	3.0.7	3.0.7.LIFERAY.PATCHED-1

How can I check and mitigate my exposure?

For Liferay installations that include custom code, please refer to the following announcements:

CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+
Spring Organizational Announcement (including temporary work around)

Liferay recommends any customer with custom plugins or in-flight extensions that leverage the Spring frameworks in question, to review the versions currently in use and, if necessary, upgrade their Spring libraries to patched versions.

Will there be a formal fix for this issue?

Spring has released Spring Framework versions 5.3.18 and 5.2.20 which addresses this vulnerability. Any plugins that are deemed to be exposed should be updated to use the patched versions of the aforementioned Spring libraries.

Emergency hotfixes of the patched or updated Spring Web MVC libraries are available now upon request. You can request a hotfix by submitting a support ticket HERE.

For unreleased versions of Liferay DXP or Liferay Portal which are in active service life, Liferay has patched or updated the Spring Web MVC library to be released in a future fix pack/update.

What if I am a Liferay SaaS customer?

Customers on Liferay SaaS are recommended to apply the steps above to mitigate vulnerabilities on affected versions.

Questions?

Please contact Liferay Support or your Customer Success Manager for additional information.

On this page

Primeiros passos

Ajuda do Portal do Cliente

Liferay Learn

Artigos de instruções

Visão geral de segurança

Relatórios de segurança

Release Notes

Atualizações do Portal do Cliente

Downloads

Meus tickets

Abrir um ticket

Escalar um ticket

Cobertura de suporte

Serviços e Compatibilidade

Fale conosco

Eventos para clientes