Security
- Elastic Stack and Liferay Enterprise Search [LES] Security Advisories
-
Security Alert
- ClamAV HFS+ Security Advisory: CVE-2023-20032
- Dec 16 Liferay’s Update about Log4j vulnerabilities CVE-2021-4104, CVE-2021-44228 and CVE-2021-45046
- Dec 18 Liferay’s Update about Log4j CVE-2021-45105
- Elasticsearch and Liferay Enterprise Search Security Advisory: 2018 November
- Elasticsearch and Liferay Enterprise Search Security Advisory: August 5, 2020
- Elasticsearch and Liferay Enterprise Search Security Advisory: February 2019
- Follow-Up Security Alert for LSV-412 and LSV-545
- Jenkins Security Advisory 2024-01-24: CVE-2024-23897
- Liferay Enterprise Search Support Alert: Action Required by June 24 2019
- Liferay SaaS Security Alert: March 2020
- Liferay Security Alert: 2018 August
- Liferay Security Alert: 2019 January
- Liferay Security Alert: 2019 November
- Liferay Security Alert: 2020 February
- Liferay Security Alert: 2020 July
- Liferay Security Alert: 2020 March
- Liferay Security Alert: 2020 May
- Liferay Security Alert: 2022 April
- Liferay Security Alert: December 2018
- Liferay Security Alert for Liferay DXP
- Security Overview
Security Overview
Background Statement
Liferay is committed to producing software products that are enterprise grade not only with respect to quality and features, but also as to security. We understand that for our enterprise-class customers, ensuring the software they implement into their IT stack is free of security vulnerabilities and similar concerns is of utmost importance.
We strongly believe that our open source community development model provides us with the best opportunities and resources to address these concerns. This development model provides access to a global community of developers that find and fix bugs and vulnerabilities. Further, we have developed a set of internal policies and practices to ensure that we promptly discover and address all security-related issues for our Subscription customers.
As a starting point, Liferay Digital Experience Platform and Liferay Portal utilize industry standard, government-grade encryption technologies, including advanced algorithms such as AES, 3-DES, and RSA. Additionally, Liferay Digital Experience Platform and Liferay Portal ship with robust user management and security features including password policies, user reminder settings, complete login security procedures and other varying layers of security controls that allow customizable access to sensitive information.
Secondly, Liferay utilizes a crack team of security experts who conduct regular "white hat" security evaluations. This ensures that the software provided to our users is as free as possible of security vulnerabilities.
Liferay also recognizes the important role that independent security researchers play, and we encourage responsible reporting of vulnerabilities discovered in our products. For more information about reporting vulnerabilities to Liferay, please see the following sections.
Reporting Security Issues
Like many other open source projects, Liferay believes in Responsible Disclosure. This means that when you are reporting new bugs related to security vulnerabilities, you give Liferay some time to respond (evaluate, resolve) to security bugs before its details are publicly and fully disclosed.
- To notify Liferay of a vulnerability Subscribers with Help Center access can create a ticket
On the other hand, Responsible Disclosure also means that when you have discovered a possible security vulnerability, you do not do the following:
- Disclose possible exploits of the vulnerability.
- Disclose the details of the vulnerability on any of public forums, including the Liferay Community forum, blogs, comment pages or other public locations
- Disclose the details of the vulnerability in private before a fix is released.
You may test Liferay software source code for vulnerabilities, including through the utilization of third-party software. Any testing results and suspected vulnerabilities must be reported in accordance with the Responsible Disclosure policy, above.
Liferay Security Policy
Liferay has developed the following policy that applies to reported security issues in our software products:
Initial Report
Liferay can receive reports of security vulnerabilities from various sources (e.g. a JIRA or Help Center ticket, Social Media, external blogs, or internal discoveries). Within 72 hours of discovering or being notified of a potential vulnerability, Liferay will attempt to reproduce the issue using the supplied information. If the vulnerability is reproducible and if a ticket does not already exist for the vulnerability, a private (non-public) ticket will be created. The ticket will be classified into one of the pre-defined severity levels (see below) and the details of the vulnerability are documented in this ticket.
Triage and Classification
Security Vulnerabilities are classified by Liferay into various severity levels based on a number of factors, the most important of which is the perceived risk to Liferay deployments generally.
- Severity Level 1 (SEV-1) - The most severe level, this includes vulnerabilities where complete system access is possible, including access to the underlying system's resources, the potential for data corruption or compromise, or the ability to execute arbitrary code by an attacker.
- Severity Level 2 (SEV-2) - Vulnerabilities in this level do not allow complete system access, but can impact service levels and system reliability, or affect systems other than Liferay itself. This typically includes Denial-of-Service vulnerabilities and related vulnerabilities.
- Severity Level 3 (SEV-3) - The least severe level used for minor vulnerabilities, including cross-site scripting, permission problems, and information leak.
Patch Availability & Notifications
- Severity Level 1 or 2: After a security patch has undergone rigorous testing and is ready for release, details of the vulnerability, any potential workarounds, and pointers to patches or other fixes will be made public through a security bulletin and Help Center announcement. The fixes for issues will be available on the Security Advisories page in the Help Center.
- Severity Level 3: Fixes for severity level 3 security vulnerabilities will be released in a fix pack for affected versions that are in the Premium Support Phase. These issues will be highlighted in a Help Center announcement.
Disclosure Policy
In following with the principles of Responsible Disclosure, Liferay will not disclose any information about security vulnerabilities beyond the details provided to all customers on the Security Advisories page in Help Center and on the Release Notes (LPE) tickets including the CVE ID*, and the CVSS (v.3.0) Score and Vector String.**
This is for the safety and security of your Liferay deployment as well as the safety and security of all other Liferay customers. Specifically, Liferay will not provide any information about how to reproduce a security vulnerability or provide advance notice about critical patches or fixes to individual customers. Liferay reserves the right to not disclose any information about security vulnerabilities it believes in its sole judgment would either create additional risk to Liferay customers or would serve no material benefit to Liferay customers. These policies and practices mitigate, limit and control the risks of discovered vulnerabilities, protect the entire Liferay customer ecosystem and community, and provide the Liferay and community security experts the best environment for addressing security concerns.
* Since May, 2020. CVE IDs are assigned to vulnerabilities with Severity Level 1 and 2
**Since 2019