Spring Framework Security Vulnerabilities: CVE-2018-1270, CVE-2018-1271, CVE-2018-1272

QUESTION: How are Liferay Digital Enterprise 7.0 and Liferay Portal affected by the Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1271, and CVE-2018-1272?

Resolution

Impact to Liferay

CVE-2018-1270: Liferay Portal 6.2 and Digital Enterprise 7.0 are not affected because they are not bundled with spring-messaging. CVE-2018-1275 is a partial fix for CVE-2018-1270.

CVE-2018-1271: Liferay Portal 6.2 and Digital Enterprise 7.0 are not affected because they are not bundled with spring-webmvc.

CVE-2018-1272: Liferay platforms are not bundled with the spring-webflux module. Spring is not used to handle requests.

Impact to Customers

Any custom applications attempting to use the bundled spring-webmvc 4.1.9 through OSGi and configuring those components to serve static resources may be affected (CVE-2018-1271).

Was this article helpful?
0 out of 0 found this helpful