Follow-Up Security Alert for LSV-412 and LSV-545

General Information

Since our last follow announcement on April 2, 2020, there have been increased activity of reported attempts to exploit Liferay sites through vulnerabilities reported in LSV-412 and LSV-545.

Liferay strongly recommends customers to review their Liferay Portal 6.2 EE and DXP environments immediately to make sure they are running on a patch level where these vulnerabilities are already fixed (see the fixed versions below). If customers choose to not update to the appropriate patch level, please follow the workaround described below.

Vulnerability

These vulnerabilities have already been addressed with the following security alerts:

• LSV-412 (2018 December)
• LSV-545 (2019 October)

Security Level

Severity Level 1

Instructions

Please refer to the Help Center pages referenced above to learn more about each vulnerability and to get information about the patch availability. As a quick reference, we have provided a list of the versions and patch levels where these vulnerabilities are already fixed:

• Liferay Portal 6.2 EE Portal-171+
• Liferay DXP 7.0 Fix Pack 87+ or Service Pack 12+
• Liferay DXP 7.1 Fix Pack 15+ or Service Pack 3+
• Liferay DXP 7.2 Fix Pack 2+ or Service Pack 1+

Workaround

As a temporary workaround, you can disable JSON Web Services by setting the following portal property to false:

 json.web.service.enabled=true

Note that setting this to false will prevent portlets that make JSON web service calls from working.

The recommended long-term solution is to move to a patch level where this issue is fixed.