1. Home
  2. Development
  3. RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19

RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19

Kevin Matthews, modified 3 Years ago.
Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Hello, we did a sonatype scan against liferay 7.4.3.19 GA19 and found that there is hibrenate component com.liferay:org.hibernate.core:3.6.10.LIFERAY-PATCHED-6 that is vulnerable. Its also shown in maven as vulnerable component, https://mvnrepository.com/artifact/org.hibernate/hibernate-core/3.6.10.Final. Is liferay will be sending a GA release to upgrade to a non-vulernable hibernate component? For example using hibernate core 6.0.0 whioch s not vulenrable.

 

Thanks,

Kevin

Lee Jordan, modified 3 Years ago.
RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19
Expert Posts: 449 Join Date: 5/26/15 Recent Posts

You can disclose security issues at issues.liferay.com and use either the private or secure drop down to keep bots away.

Kevin Matthews, modified 3 Years ago.
RE: RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

sure will try that approach. Thanks

Kevin Matthews, modified 3 Years ago.
RE: RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Created jira ticket.  Do you know if will get a response from liferay?

Kevin Matthews, modified 3 Years ago.
RE: Sonatype High Hibernate CVE-2020-25638 in Liferay7.4 GA19
Expert Posts: 253 Join Date: 1/25/16 Recent Posts

Created the ticket. How soon will get an answer