Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Mathias Hegner
Does (Recently Fixed) Struts 2 Exploit Affect Liferay 5.2.3/6.1.1 ?
June 10, 2013 8:55 AM
Answer

Mathias Hegner

Rank: New Member

Posts: 1

Join Date: June 10, 2013

Recent Posts

Hi everybody,

recently Apache fixed two bugs (CVE-2013-2115 and CVE-2013-1966) in struts 2, which allowed for remote code execution via OGNL double evaluation.
An attack could be done via specially prepared HTTP requests, any code could be executed on the server.
Apache recommends to use newest patch (struts 2.3.14.2) to avoid this critical problem.

Anybody an idea whether or not Liferay is affected by this exploit ?
If so, will there be a fix for this problem ?

Regards
Mathias Hegner
Holger Lierse
RE: Does (Recently Fixed) Struts 2 Exploit Affect Liferay 5.2.3/6.1.1 ?
July 7, 2013 9:13 PM
Answer

Holger Lierse

Rank: New Member

Posts: 1

Join Date: July 7, 2013

Recent Posts

Hi Mathias,

Have you been able to find out if Liferay is impacted? I think Liferay 5.2.3 is running Struts 1.x so it shouldn't be impacted.

Thanks,

Holger
Jay M Kraly
RE: Does (Recently Fixed) Struts 2 Exploit Affect Liferay 5.2.3/6.1.1 ?
July 19, 2013 8:47 AM
Answer

Jay M Kraly

Rank: New Member

Posts: 12

Join Date: October 9, 2008

Recent Posts

Any response on this? It is a pretty serious security problem which should be addressed by Liferay if it is affected. If Liferay does use struts 2 it is most likely vulnerable as I doubt the 6.1.x version has been upgraded to the latest Struts release.
M J
RE: Does (Recently Fixed) Struts 2 Exploit Affect Liferay 5.2.3/6.1.1 ?
July 19, 2013 8:56 AM
Answer

M J

Rank: Regular Member

Posts: 175

Join Date: March 1, 2013

Recent Posts

I don't think Liferay uses Struts 2, it uses the previous version.

MJ