RE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

Jamie Sammons, modified 5 Months ago.

Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

New Member Posts: 2 Join Date: 3/25/25 Recent Posts

Hey everyone,

I am currently running the Liferay Portal image locally for a PoC but since patching would be an issue in a production environment I am curious about the support structure here.

Does anyone know if the latest released Docker image (https://hub.docker.com/r/liferay/portal/tags) is vulnerable to CVE-2025-24813?

And if so, is there any pattern to how new Docker images with patches are published? Like how many weeks does it usually take etc.?

Or is there any sort of workaround where one could override the tomcat version in some way?

Thanks!

Daniel Carrillo Broeder, modified 4 Months ago.

RE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

New Member Posts: 2 Join Date: 2/14/24 Recent Posts

Liferay is not vulnerable with its bundle/docker image default configuration( Liferay and CVE-2025-24813 ). Also, the Tomcat version will be updated the future.

You can create a temporary container if you want to verify the specific Tomcat version of a tag:

docker run -it -entrypoint /bin/bash --name test liferay/portal:7.4.3.132-ga132

$ java -cp /opt/liferay/tomcat/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.98
...

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

RE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?