Liferay Docker Image Security Policy

Images on DockerHub

This security policy applies to the Liferay base docker images, as well as the Liferay DXP docker images  published on Docker Hub.

Note on image tags: For a breakdown of Liferay's docker image tag naming convention see Liferay DXP Docker Image Tags

Detecting and Classifying Vulnerabilities

Liferay references the National Vulnerability Database in order to identify and track vulnerabilities. Each vulnerability is given a CVSS 3 Base Score, which is then translated into a severity based on the table below.

Severity

Base Score Range

None

0.0

Low

0.1-3.9

Medium

4.0-6.9

High

7.0-8.9

Critical

9.0-10.0

For more details please see NVD - Vulnerability Metrics (nist.gov)

Note: Liferay reserves the right to raise or lower the final severity based on the nature of the vulnerability and other factors even if the raw CVSS score would indicate a different level.

Once the vulnerability has been mapped to an appropriate severity level, it is further classified into one of  the following three categories. 

  1. OS: Linux - The vulnerability lies within the docker image's Linux Operating System. 

  2. Servlet container: Tomcat - The vulnerability lies within the docker image's Tomcat servlet container.

  3. Product: Liferay DXP - The vulnerability lies within the Liferay DXP product itself, running on the image.

Linux security policy

Liferay uses Ubuntu as the Linux OS in our docker images. Each docker image that is published contains all of the currently available security updates for Ubuntu at that time. When a new vulnerability is identified, Liferay will add security updates based on the severity of the issues.

Low-Medium Severity

Vulnerabilities with a Low to Medium severity will be fixed based on the availability of the patch for current distribution of Ubuntu used in the docker image.

The fix availability can be checked on the Security site of Ubuntu for the given CVE (e.g CVE-2021-4034 | Ubuntu).

When the patch is available, please contact Liferay Support and request a rebuilt version of the DXP image in question, updated with the security fix.

High-Critical Severity

Vulnerabilities with a High to Critical severity are automatically detected by Liferay's Security team. Once the fix is available, all the affected images will be rebuilt and published to Docker Hub with a newer timestamp in the image tag.

Tomcat security policy

When a fix Tomcat vulnerability is available, Liferay will update to a new Tomcat release based on the severity of the issue. We will prioritize Critical, High and Medium fixes.

This process requires QA testing to ensure that Liferay DXP will run on the newer version without issues. If any errors occur during testing, the upgrade will be paused while the errors are addressed, at which point the upgrade process will resume.

Once all tests pass, the new Tomcat version will be applied to the next release of Liferay DXP for the affected versions. A new docker image will be published containing the update for each affected version.

Liferay DXP security policy

Security vulnerabilities within the Liferay DXP product itself are handled per the following policies.

Was this article helpful?
2 out of 3 found this helpful