Images on DockerHub
This security policy applies to the Liferay base docker images, as well as the Liferay DXP docker images published on Docker Hub.
Note on image tags: For a breakdown of Liferay's docker image tag naming convention see Liferay DXP Docker Image Tags
Detecting and Classifying Vulnerabilities
Liferay references the National Vulnerability Database in order to identify and track vulnerabilities. Each vulnerability is given a CVSS 3 Base Score, which is then translated into a severity based on the table below.
None |
0.0 |
Low |
0.1-3.9 |
Medium |
4.0-6.9 |
High |
7.0-8.9 |
Critical |
9.0-10.0 |
For more details please see NVD - Vulnerability Metrics (nist.gov)
Note: Liferay reserves the right to raise or lower the final severity based on the nature of the vulnerability and other factors even if the raw CVSS score would indicate a different level.
Once the vulnerability has been mapped to an appropriate severity level, it is further classified into one of the following three categories.
-
OS: Linux - The vulnerability lies within the docker image's Linux Operating System.
-
Servlet container: Tomcat - The vulnerability lies within the docker image's Tomcat servlet container.
-
Product: Liferay DXP - The vulnerability lies within the Liferay DXP product itself, running on the image.
Liferay will apply proactive scanning of the containers and fix issues in DXP’s Premium Support phase.
Linux security policy
Liferay uses Ubuntu as the Linux OS in our docker images. Each docker image that is published contains all of the currently available security updates for Ubuntu at that time. When a new vulnerability is identified, security updates are being applied based on the severity of the issues.
The OS will be frequently upgraded to keep the latest libraries and packages included.
In some cases, Liferay will patch the OS packages by recompiling libraries. These are to be deployed exclusively within enterprise (DXP) image distributions. Customers may submit support tickets to request fixes in accordance with the aforementioned guidelines.
Community administrators can update the containers by themselves at their own pace, as no new releases is to be provided for Liferay Portal images. We recommend to have an additional build step before deployment to update the OS.
Vulnerability management services are provided for customers on Premium Security Package on Liferay PaaS - these clients will receive notifications monthly about fixed issues in their containers. For customers who don’t leverage this offering, it is recommended to monitor regularly and autonomously.
Low-Medium Severity
If a Low to Medium severity vulnerability patch is available for the current distribution of Ubuntu used in the Docker image in subject, a security fix can be requested by contacting Liferay Support. Proactive remediation is limited to vulnerabilities with a severity rating of ‘high' and 'critical’.
The fix availability can be checked on the Security site of Ubuntu for the given CVE (e.g CVE-2021-4034 | Ubuntu).
In such cases, please contact Liferay Support and request a rebuilt version of the DXP image in question, updated with the security fix.
For vulnerabilities which have no corresponding Ubuntu patch available, but can be reproduced using Liferay’s software (e.g. container failure can be reproduced through an uploaded document to the Document Library), resolution will be determined based on a case-by-case evaluation.
High-Critical Severity
To ensure the security of DXP deployments, Liferay will provide fixes for Critical and High severity vulnerabilities identified in Docker images running DXP versions which benefit Premium Support or Extended Premium Support - regardless the availability of an Ubuntu package fix.
These images will be rebuilt and published to Docker Hub with a newer timestamp in the image tag.
Tomcat security policy
When a fix Tomcat vulnerability is available, Liferay will update to a new Tomcat release based on the severity of the issue. We will prioritize Critical, High and Medium fixes.
Liferay will only fix Tomcat issues by updating it in conjunction with DXP, which means it will be required to update to the latest patch release in order to receive the Tomcat updates.
This process requires QA testing to ensure that Liferay DXP will run on the newer version without issues. If any errors occur during testing, the upgrade will be paused while the errors are addressed, at which point the upgrade process will resume.
Once all tests pass, the new Tomcat version will be applied to the next release of Liferay DXP for the affected versions. A new docker image will be published containing the update for each affected version.
Liferay DXP security policy
Security vulnerabilities within the Liferay DXP product itself are handled per the following policies.