Apache Struts 1 Known Vulnerabilities

QUESTION: How are Liferay DXP 7.0 and 7.1, and Liferay Portal, affected by the following vulnerabilities?

Resolution

Impact to Liferay

For customers on Liferay DXP 7.0 and 7.1, the vulnerabilities affect primarily Liferay Portal 6.2. The fixes are already incorporated into the DXP platform.

Concerning CVE-2016-1182, Liferay DXP does not use struts validation messages.

Concerning CVE-2016-1181 and a related issue CVE-2015-0899, Liferay DXP and Portal are not vulnerable because the two products do not use struts forms and do not store them inside the session.

Impact to Customers

A possible fix may break some custom applications because support for Struts validation output messages has been removed.

Was this article helpful?
1 out of 1 found this helpful