Security patches for Liferay Portal 6.2, 7.0 and 7.1

The best way to keep your installation of Liferay Portal secure is to always use the latest release - currently Liferay Portal 7.3 GA1. However, we’ve been hearing from you in the community that using the latest release can be challenging, especially if you need to upgrade from one major version to another. So, to make it easier to keep your Liferay Portal instance secure, the Community Security Team will periodically release source patches for the last GA release of each major version. For example, patches will be released for 7.1 GA4 and 7.0 GA7. For more information on working with patches, please see Patching Liferay Portal.

Without further ado, you can find the patches below. All vulnerabilities fixed in these patches have already been fixed in Liferay Portal 7.2 GA2. Please refer to the readme file for a list of issues addressed in each patch:

Note: This release includes patches for Liferay Portal 6.2 and 7.0. However, these versions are very old and there are no plans to release additional patches for these versions. If you are running Liferay Portal 6.2 or 7.0, please consider upgrading as soon as possible.

 

Update:
Thanks to Arun Das, binary builds of the patch is available for Liferay Portal 6.2: Link 1 | Link 2

Disclaimer: Binary patches have not been tested by Liferay

Blogs

Are there any binary patches available for the Liferay versions above? The links provide source code patches only.

There's currently no plans to create binary patches. But if anyone wants to create the binary patch, I'll be happy to link to them.

Hi Samuel, may you help me with the creation of the binary patch for Liferay Portal 6.2 GA6?

Thanks!

Dave, can you repost your question on the forms. These comments are probably not the best place to help you with building a patch since this may require some back and forth. But in general, you'll want to check out the source code (including the patch) from GitHub. After you have the code, type  'ant all' at the command line to create a build. But there's a lot of details in that last step which is why is probably better to have this discussion in the forums.

I can't belive that Liferay is not delivering binary patches. I tried to compile binaries from source, first with JDK11 - i quickly realized that this is a problem, then with JDK8. After 30-40 MINUTES I run into errors. 

We have an insecure application running and can't fix these vulnerabilites now? 

This is a nogo.

Hi Fredi, 

I understand your concern. Usually, all binary patches for these vulnerabilities are released for DXP subscribers only.  All thanks to the community security team, that atleast they are pushing these patches to older versions of Liferay as well or else, we would have to check the latest fixes on the master branch and port it back manually to older versions.

 

Regards,

Arun

 

Hi Samuel,

I've uploaded Liferay 6.2 march 2020 fixes binaries https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV

 

Can you please help verify?

Regards,

Arun 

Hi Arun,

Thank you for the patch. To make it work, I had to copy the missing webapps (marketplace, etc.) from my previous server, and edit tomcat\conf\catalina.properties :

 

L49 : common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/lib/ext,${catalina.home}/lib/ext/*.jar

 

Regards

 

Grégoire

 

Hello Grégoire,

Yep, for the Link 1  which is  a complete build you are required to add those files manually. You could check the Link 2 (https://1drv.ms/u/s!AtN9b49hmJkTiIB87ak7ce8PQv3xFA?e=ZC3PkV) which is just the patches only.

 

Also, you could check out this blog (https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches) by  Dominik on how to create binary patch.

 

Regards,

Arun

Hi Arun,

 

thanks for the patches. They work fine in my installation except for FacebookConnect.

 

Connects via Facebook fail when calls to /c/login/facebook_connect_outh return "Server Error (500)". See the stack trace below.

 

Any idea what could/should be done?

 

Thanks,

Johannes

 

 

Caused by: com.liferay.portal.kernel.exception.SystemException: Unable to retrieve Facebook access token         at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:91)         at com.liferay.portal.kernel.facebook.FacebookConnectUtil.getAccessToken(FacebookConnectUtil.java:34)         at com.liferay.portlet.login.action.FacebookConnectAction.strutsExecute(FacebookConnectAction.java:102)         at com.liferay.portal.struts.PortletAction.execute(PortletAction.java:116)         at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)         ... 85 more Caused by: java.lang.NullPointerException         at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735)         at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1547)         at com.liferay.portal.util.HttpImpl.URLtoByteArray(HttpImpl.java:1095)         at com.liferay.portal.util.HttpImpl.URLtoString(HttpImpl.java:1159)         at com.liferay.portal.kernel.util.HttpUtil.URLtoString(HttpUtil.java:428)         at com.liferay.portal.facebook.FacebookConnectImpl.getAccessToken(FacebookConnectImpl.java:74)  

Hi Johannes,

I just build based on the https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and not changed any of the code. And I don't see any updates done to the FacebookConnect in that branch. Probably, Facebook implementations has changed since Liferay 6.2.5. The best place to start discussion in the forums/slack (liferay-community.slack.com). Should be able to cook up an EXT plugin to change the implementation.

 

Regards,

Arun

Hi Aruns, 

 

for me the point is not on FacebookConnect but in  HttpImpl.java (that changed a lot) used by FacebookConnectAction.

 

Nicola

Maybe someone introduced a NullPointer

at com.liferay.portal.util.HttpImpl.URLtoInputStream(HttpImpl.java:1735)     

we have the same issue in code on that invocation.

Nicola, I agree. HttpImpl.java is the problem.

 

I die the following:

'git clone https://github.com/community-security-team/liferay-portal.git'

'git checkout 6.2.5-ga6'

'ant all ' fails

 

Debugging the application that source code attached shows, that HttpImpl.java of Arun's patch is not the HttpImpl.java from my checkout.

 

However, 'ant all' fails on my machine with the following message , so I do not know how to proceed with indentifiying the problem.

 

@Arun: Can you figure out what the problem with HttImpl.java is or give me a hint how to reproduce your patch?

 

Thanks,

Johannes

 

 1. ERROR in /home/johannes/scorio/liferay-portal/portal-impl/src/com/liferay/portal/jsonwebservice/JSONWebServiceActionImpl.java (at line 379)     [javac]     if (!ReflectUtil.isSubclass(     [javac]                      ^^^^^^^^^^     [javac] The method isSubclass(Class<capture#61-of ?>, Class<capture#62-of ?>) is undefined for the type ReflectUtil

For those having problems with Facebook Connect on Liferay Portal 6.2. we've pushed an an additional commit to the branch that will hopefully address this issue.

 

Johannes, thank you for letting us know about this issue.

Hi Samuel,

 

good to hear you've addressed this issue.

Where would I find that commit? I've been looking at      https://github.com/liferay/liferay-portal.git branches 6.2 and 6.2.x as well as on https://github.com/community-security-team/liferay-portal.git but could not find.

 

Johannes

Hi,

I've updated the patches here is the link https://1drv.ms/u/s!AtN9b49hmJkTiIEF8pvMBH06NMSF-w?e=NesCHg

Can you help me test this?

 

Regards,

Arun

@Nicola: Thank you so much for showing me how to get the commit. I am definitely not a git expert. The commit works in so far, that it resolves the NPE in HttpUtil.java. However there are other bugs preventing Facebook Connect from working.

 

@Arun: I'm happy to help with testing. Thanks to your help I could compile Liferay from source and debug ist. I think I've now identified the problems with Facebook Connect. I will continue with testing tomorrow and report my results, hopefully positive ones.

 

Johannes

Hi Arun,

 

we tested 6.2.5-cumulative and created a patch to get Facebook Connect to work. The patch draws on replies to my post https://liferay.dev/forums/-/message_boards/message/87677757 and the workaround I had developed for that. The patch addresses two issues: HttpUtil  calls HTTPS URLs as HTTP only; Facebook has changed the Facebook Connect API.

 

Tests of 6.2.5-cumulative  with our patch applied are all positive. We will put that version into production.

 

If you added our patch into 6.2.5-cumulative we will gladly retest that version.

 

Thanks for your substantial help and quick responses,

 

Johannes

 

----------------------------------------------------------------------------------------------------------------------------

 

From aead75af36aebc5e02e37ee40fe2c415c9be7759 Mon Sep 17 00:00:00 2001 From: Johannes Feulner <johannes.feulner@scorio.com> Date: Tue, 28 Apr 2020 10:59:29 +0200 Subject: [PATCH 2/2] Fixed HTTPImpl.java for calling HTTPS URls; Fixed  FacebookConnect.java for current API

---  .../com/liferay/portal/facebook/FacebookConnectImpl.java  | 15 ++++++++++++++-  portal-impl/src/com/liferay/portal/util/HttpImpl.java     |  2 +-  2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java index e52e418..1192a0b 100644 --- a/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java +++ b/portal-impl/src/com/liferay/portal/facebook/FacebookConnectImpl.java @@ -74,6 +74,7 @@ public class FacebookConnectImpl implements FacebookConnect {                         String content = HttpUtil.URLtoString(options);

                        if (Validator.isNotNull(content)) { +                               /* Facebook Connect API pre 2.3                                 int x = content.indexOf("access_token=");

                                if (x >= 0) { @@ -84,7 +85,19 @@ public class FacebookConnectImpl implements FacebookConnect {                                         }

                                        return content.substring(x + 13, y); -                               } +                               } */ + +                               /* [Oauth Access Token] Format according to Facebook +                                * The response format of +                                * https://www.facebook.com/v2.3/oauth/access_token returned +                                *  when you exchange a code for an access_token now return +                                *  valid JSON instead of being URL encoded. The new format +                                *  of this response is {"access_token": {TOKEN}, +                                *  "token_type":{TYPE}, "expires_in":{TIME}}. We made this +                                *  update to be compliant with section 5.1 of RFC 6749. +                                */ +                               String accessToken = JSONFactoryUtil.createJSONObject(content).getString("access_token"); +                               return accessToken;                         }                 }                 catch (Exception e) { diff --git a/portal-impl/src/com/liferay/portal/util/HttpImpl.java b/portal-impl/src/com/liferay/portal/util/HttpImpl.java index 0e1c824..ad81018 100644 --- a/portal-impl/src/com/liferay/portal/util/HttpImpl.java +++ b/portal-impl/src/com/liferay/portal/util/HttpImpl.java @@ -1609,7 +1609,7 @@ public class HttpImpl implements Http {                         _cookies.set(null);

                        HttpHost targetHttpHost = new HttpHost( -                               uri.getHost(), uri.getPort()); +                               uri.getHost(), uri.getPort(), uri.getScheme());

                        RequestConfig.Builder requestConfigBuilder =                                 getRequestConfigBuilder(uri, timeout); -- 2.7.4

Hello Johannes,

Here is the link with the FB Connect update

https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS

 

Do test and let us know

 

Regards,

Arun

Hi Arun,

 

I've tested your new update from https://1drv.ms/u/s!AtN9b49hmJkTiIEGXlsboskImDsLew?e=1BWrGS inlcuding  FB Connect fixes and it worked fine for me at www.scorio.com running tomcat 7.0.62. Thanks again.

 

Three things I'd like to ask/mention:

1. I've noted that https://github.com/liferay/liferay-portal.git  would also need the FacebookConnect update. Just a proposal.

 

2. I've got the impression that your code is running faster than what I compiled myself from     https://github.com/community-security-team/liferay-portal.git with JDK jdk1.7.0_80. Could there be a reason for that?

 

3. When clicking on "Portal Settings" from control panel page and again  when clicking there on "Save" I see the following warnings in catalina.out which I do not remember to have seen before:

0:56:27,586 WARN  [ajp-bio-8089-exec-15][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,595 WARN  [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,596 WARN  [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN  [ajp-bio-8089-exec-11][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted 10:56:27,614 WARN  [ajp-bio-8089-exec-5][PortalImpl:7510] Unable to impersonate 2 hiRF3/oAxXHWXpO DSiA== because the string cannot be decrypted

 

Regards,

 

Johannes

 

Hi Johannes,

 

Thanks for the update. 

For your info, 6.2.x branch is no more updated by Liferay. I'm not sure on the 2nd item on how my code is running faster as I just clone the repo from https://github.com/community-security-team/liferay-portal.git and made the FB connect changes and compiled using jdk 1.7_80. For item 3, I noticed that Liferay already fixed in EE https://issues.liferay.com/browse/LPS-60816. Unfortunately, since its a private repo I don't have access to it. 

 

Regards,

Arun

 

Hi Arun, I am running the Liferay-tomcat fix you provided.  I notice a bug on the page Server Administration.  This bug I have found running Liferay-6.2-ce-ga6 on Tomcat more recent than 7.0.62.  Have you found an issue with the page, and do you know how to solve for it? Cheers, Caleb

Hi Caleb,

Are you referring to the following issue

"The code of method _jspService(HttpServletRequest, HttpServletResponse) is exceeding the 65535 bytes limit"

 

Here is the ticket related to this https://issues.liferay.com/browse/LPS-70778

Since, that's a private repo I couldn't really get that fix. But, a workaround was also mentioned there which is to replace tomcat-7.0.xx/lib/jasper.jar with an older version of jasper.jar  from tomcat-7.0.62 

 

Hope this helps

 

Regards,

Arun

 

Hi Arun,

Swapping out the library tomcat/lib/jasper.jar on tomcat-7.0.103 for that  from Tomcat-7.0.62 seems to have done the job.  

 

Thanks,

Caleb

Hi Samuel, thank you for the source patch.

 

I have compiled a build from https://github.com/community-security-team/liferay-portal/tree/6.2.5-cumulative and using jboss-7.1.1, jdk1.7.0_80, ant-1.9.13.

 

May you check the compiled patch? You can find it here

https://drive.google.com/file/d/1ffpu2VpIH183Zem-XZ9iaJXjai-wenLN/view?usp=sharing

 

I have installed it on my server and it's seems works.

 

Is there a way to view the version of the patch installed in the liferay control panel?

 

Thanks a lot,

 

Dave

 

 

I get the following exception when processing a velocity template. Any ideas?

 

Caused by: java.lang.IllegalArgumentException: Denied resolving class java.lang.Class by java.lang.Class     at com.liferay.portal.velocity.LiferaySecureUberspector._checkClassIsRestricted(LiferaySecureUberspector.java:108)     at com.liferay.portal.velocity.LiferaySecureUberspector.access$0(LiferaySecureUberspector.java:100)     at com.liferay.portal.velocity.LiferaySecureUberspector$LiferaySecureIntrospectorImpl.checkObjectExecutePermission(LiferaySecureUberspector.java:201)     at org.apache.velocity.util.introspection.SecureIntrospectorImpl.getMethod(SecureIntrospectorImpl.java:64)     at org.apache.velocity.util.introspection.UberspectImpl.getMethod(UberspectImpl.java:193)     at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:192)     at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:262)     at org.apache.velocity.runtime.parser.node.ASTReference.value(ASTReference.java:507)     at org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:155)     at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:262)     at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:342)     at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336)     at org.apache.velocity.Template.merge(Template.java:328)     at org.apache.velocity.Template.merge(Template.java:235)     at com.liferay.portal.velocity.VelocityTemplate.processTemplate(VelocityTemplate.java:112)     at com.liferay.portal.template.AbstractTemplate.processTemplate(AbstractTemplate.java:108)  

You have to check the restricted classes in the Velocity Engine configuration. The patches define new default values here, so resolving "java.lang.Class" is not allowed by default, so you have to remove "java.lang.Class" from the restricted classes in the configuration.