Security Issue Concerning Google Guava Versions 1.0 to 32
Adrienne Lao
更新
Issue
There is a present vulnerability with Google Guava that affects the versions from 1.0 to 31.1. Liferay is currently bundled with Guava. It has been reported that
osb-distributed-messaging-google-pubsub-connector
declares a dependency on Guava 30.1.1 which has a known vulnerability present, CVE-2023-2976.
Environment
Liferay 7.2+
Resolution
It is recommended to upgrade to a Liferay environment that has a Guava version 32+ in order to bypass the vulnerability. Liferay 7.4 U92 is utilizing Guava 32.0.1 and is the earliest update that would mitigate this vulnerability.
To check which version of Guava a Liferay bundle is using, the following command can be run in the Liferay terminal from your Liferay Home.
