LPS-47460 - Struts 1 Classloader manipulation (Generic fix)

Description

A zero-day security vulnerability in the ActionForms object in Struts 1.x allows remote attackers to manipulate the class loader. In some environments, this may allow attackers to execute arbitrary code.
 
Liferay Portal is NOT susceptible to this vulnerability. While Liferay Portal utilizes Struts 1.x, it does not use Struts 1.x's ActionForm for any out-of-the-box functionality. Plugin portlets authored by Liferay are also not vulnerable.
 
However, sites using Liferay Portal may be vulnerable if
  • Custom Struts 1.x plugin portlets have been deployed to the environment AND
  • The custom Struts 1.x plugin portlet uses ActionForm.
This patch removes the possibility of such class loader manipulation for apps on Liferay.
 
For more information:

Severity

Severity 1

Fixed Version(s)

Publication date: Mon, 16 Jun 2014 15:21:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.