Issue
- There is a present vulnerability with Google Guava that affects the versions from 1.0 to 31.1. Liferay is currently bundled with Guava. It has been reported that
osb-distributed-messaging-google-pubsub-connector
declares a dependency on Guava 30.1.1 which has a known vulnerability present, CVE-2023-2976.
Environment
- Liferay 7.2+
Resolution
- It is recommended to upgrade to a Liferay environment that has a Guava version 32+ in order to bypass the vulnerability. Liferay 7.4 U92 is utilizing Guava 32.0.1 and is the earliest update that would mitigate this vulnerability.
- To check which version of Guava a Liferay bundle is using, the following command can be run in the Liferay terminal from your Liferay Home.
-
grep -r 'guava'
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión