QUESTION: How are Liferay Digital Enterprise 7.0 and Liferay Portal affected by the Spring Framework Vulnerabilities: CVE-2018-1270, CVE-2018-1271, and CVE-2018-1272?
Resolution
Impact to Liferay
CVE-2018-1270: Liferay Portal 6.2 and Digital Enterprise 7.0 are not affected because they are not bundled with spring-messaging. CVE-2018-1275 is a partial fix for CVE-2018-1270.
CVE-2018-1271: Liferay Portal 6.2 and Digital Enterprise 7.0 are not affected because they are not bundled with spring-webmvc.
CVE-2018-1272: Liferay platforms are not bundled with the spring-webflux module. Spring is not used to handle requests.
Impact to Customers
Any custom applications attempting to use the bundled spring-webmvc 4.1.9 through OSGi and configuring those components to serve static resources may be affected (CVE-2018-1271).