Images on DockerHub
This security policy applies to the Liferay base docker images, as well as the Liferay DXP docker images published on Docker Hub.
Note on image tags: For a breakdown of Liferay's docker image tag naming convention see Liferay DXP Docker Image Tags
Detecting and Classifying Vulnerabilities
Liferay references the National Vulnerability Database in order to identify and track vulnerabilities. Each vulnerability is given a CVSS 3 Base Score, which is then translated into a severity based on the table below.
None |
0.0 |
Low |
0.1-3.9 |
Medium |
4.0-6.9 |
High |
7.0-8.9 |
Critical |
9.0-10.0 |
For more details please see NVD - Vulnerability Metrics (nist.gov)
Note: Liferay reserves the right to raise or lower the final severity based on the nature of the vulnerability and other factors even if the raw CVSS score would indicate a different level.
Once the vulnerability has been mapped to an appropriate severity level, it is further classified into one of the following three categories.
-
OS: Linux - The vulnerability lies within the docker image's Linux Operating System.
-
Servlet container: Tomcat - The vulnerability lies within the docker image's Tomcat servlet container.
-
Product: Liferay DXP - The vulnerability lies within the Liferay DXP product itself, running on the image.
Linux security policy
Liferay uses Ubuntu as the Linux OS in our docker images. Each docker image that is published contains all of the currently available security updates for Ubuntu at that time. When a new vulnerability is identified, Liferay will add security updates based on the severity of the issues.
Low-Medium Severity
Vulnerabilities with a Low to Medium severity will be fixed based on the availability of the patch for current distribution of Ubuntu used in the docker image.
The fix availability can be checked on the Security site of Ubuntu for the given CVE (e.g CVE-2021-4034 | Ubuntu).
When the patch is available, please contact Liferay Support and request a rebuilt version of the DXP image in question, updated with the security fix.
High-Critical Severity
Vulnerabilities with a High to Critical severity are automatically detected by Liferay's Security team. Once the fix is available, all the affected images will be rebuilt and published to Docker Hub with a newer timestamp in the image tag.
Tomcat security policy
When a fix Tomcat vulnerability is available, Liferay will update to a new Tomcat release based on the severity of the issue. We will prioritize Critical, High and Medium fixes.
This process requires QA testing to ensure that Liferay DXP will run on the newer version without issues. If any errors occur during testing, the upgrade will be paused while the errors are addressed, at which point the upgrade process will resume.
Once all tests pass, the new Tomcat version will be applied to the next release of Liferay DXP for the affected versions. A new docker image will be published containing the update for each affected version.
Liferay DXP security policy
Security vulnerabilities within the Liferay DXP product itself are handled per the following policies.