Is the latest released Portal Docker image vulnerable to CVE-2025-24813?Is the latest released Portal Docker image vulnerable to CVE-2025-24813?https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1233187262026-04-07T23:24:30Z2026-04-07T23:24:30ZRE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?Daniel Carrillo Broederhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1233676822025-04-23T10:14:39Z2025-04-23T10:14:38Z<p>Liferay is <strong>not vulnerable</strong> with its bundle/docker
image default configuration( <a
href="https://help.liferay.com/hc/en-us/articles/35134053445517-Liferay-and-CVE-2025-24813">Liferay
and CVE-2025-24813</a> ). Also, the Tomcat version will be updated
the future.</p>
<p>You can create a temporary container if you want to verify the
specific Tomcat version of a tag:</p>
<pre>
<code class="language-java">docker run -it -entrypoint /bin/bash --name test liferay/portal:7.4.3.132-ga132
$ java -cp /opt/liferay/tomcat/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.98
...</code></pre>Daniel Carrillo Broeder2025-04-23T10:14:38ZIs the latest released Portal Docker image vulnerable to CVE-2025-24813?Effi S.https://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1233187252025-03-26T15:35:59Z2025-03-25T19:22:55Z<p>Hey everyone,</p>
<p>I am currently running the Liferay Portal image locally for a PoC but
since patching would be an issue in a production environment I am
curious about the support structure here.</p>
<p>Does anyone know if the latest released Docker image
(https://hub.docker.com/r/liferay/portal/tags) is vulnerable to CVE-2025-24813?</p>
<p>And if so, is there any pattern to how new Docker images with patches
are published? Like how many weeks does it usually take etc.?</p>
<p>Or is there any sort of workaround where one could override the
tomcat version in some way?</p>
<p>Thanks!</p>Effi S.2025-03-25T19:22:55Z