- As a customer should I mitigate the risks imposed by vulnerability "CVE-2023-29017 : Critical RCE vulnerability in VM2 Sandbox library".
This vulnerability is rated 10, the highest score in CVSS system as it could be exploited remotely and the attack complexity also is low. Vulnerability exists due to improper handling of host objects passed to `Error.prepareStackTrace` in case of unhandled async errors.
Successful exploitation of this vulnerability may allow a remote attacker to bypass the sandbox protections to gain remote code execution rights on the hypervisor host or the host running the sandbox, run shell commands and perform unauthorized actions on the machine hosting the sandbox.
VM2 versions 3.9.14 and earlier are impacted by this vulnerability.
- Liferay LXC-SM
- Liferay LXC
- DXP Cloud
- Liferay DXP 7.0+
- Liferay DXP, Liferay Cloud, LXC-SM and LXC are not using (or installing) the VM2 library therefore we are not vulnerable. This issue does not affect them.
This is a list of Third-party software distributed with the product.