QUESTION: How are Liferay DXP 7.0 and 7.1, and Liferay Portal, affected by the following vulnerabilities?
- CVE-2016-1181: Arbitrary code execution, denial of service
- CVE-2016-1182: XSS and denial of service
- CVE-2012-1007: Multiple cross-site scripting vulnerabilities
- CVE-2015-0899: Remote attackers can bypass intended access restrictions via a modified page parameter
Resolution
Impact to Liferay
For customers on Liferay DXP 7.0 and 7.1, the vulnerabilities affect primarily Liferay Portal 6.2. The fixes are already incorporated into the DXP platform.
Concerning CVE-2016-1182, Liferay DXP does not use struts validation messages.
Concerning CVE-2016-1181 and a related issue CVE-2015-0899, Liferay DXP and Portal are not vulnerable because the two products do not use struts forms and do not store them inside the session.
Impact to Customers
A possible fix may break some custom applications because support for Struts validation output messages has been removed.