RE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

Effi S., modified 5 Months ago.

Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

New Member Posts: 2 Join Date: 3/25/25 Recent Posts

Hey everyone,

I am currently running the Liferay Portal image locally for a PoC but since patching would be an issue in a production environment I am curious about the support structure here.

Does anyone know if the latest released Docker image (https://hub.docker.com/r/liferay/portal/tags) is vulnerable to CVE-2025-24813?

And if so, is there any pattern to how new Docker images with patches are published? Like how many weeks does it usually take etc.?

Or is there any sort of workaround where one could override the tomcat version in some way?

Thanks!

Daniel Carrillo Broeder, modified 4 Months ago.

RE: Is the latest released Portal Docker image vulnerable to CVE-2025-24813?

New Member Posts: 2 Join Date: 2/14/24 Recent Posts

Liferay is not vulnerable with its bundle/docker image default configuration( Liferay and CVE-2025-24813 ). Also, the Tomcat version will be updated the future.

You can create a temporary container if you want to verify the specific Tomcat version of a tag:

docker run -it -entrypoint /bin/bash --name test liferay/portal:7.4.3.132-ga132

$ java -cp /opt/liferay/tomcat/lib/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/9.0.98
...

Community

Company

Feedback