RE: RE: Spring4Shell bug CVE-2022-22965 and Liferay 7.4

Kevin Matthews, modified 3 Years ago.

Spring4Shell bug CVE-2022-22965 and Liferay 7.4

Expert Posts: 253 Join Date: 1/25/16 Recent Posts

For Spring4Shell bug CVE-2022-22965 see link below. Is there plans for liferay to upgrade to Spring Framework 5.3.18 and 5.2.20. I know Spring team mention the work around is downgrading to java 8, upgrading tomcat and disallowing fields.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted

Kevin Matthews, modified 3 Years ago.

RE: Spring4Shell bug CVE-2022-22965 and Liferay 7.4 (Answer)

Expert Posts: 367 Join Date: 9/5/14 Recent Posts

Hi Kevin,

The fix for Spring4Shell is in Master as a part of: https://issues.liferay.com/browse/LPS-150754. It appears to be in the release branch for this Friday's release GA19.

Kevin Matthews, modified 3 Years ago.

RE: RE: Spring4Shell bug CVE-2022-22965 and Liferay 7.4

Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Great, Thansk Jamie :)

Kevin Matthews, modified 3 Years ago.

RE: RE: Spring4Shell bug CVE-2022-22965 and Liferay 7.4

Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hi Jamie, I was able to install GA19 verify the Spring4Shell vulernabilty was gone and no need to upgrade since there is no schema changes and I am going from GA18 to A19. I know I extract the WAR and install in ROOT.war folder but how do I verify that I have GA19 installed once the portal application is running? Is there someting i can find in the ROOT.war or control panel?