The following security advisory has been announced for Liferay Portal 6.2 CE GA2 (6.2.1):

• CST-SA: LPS-46552 Struts 1 Classloader manipulation

A zero-day security vulnerability in the ActionForms object in Struts 1.x allows remote attackers to manipulate the class loader. In some environments, this may allow attackers to execute arbitrary code. While Liferay Portal utilizes Struts 1.x, Liferay Portal is *NOT* susceptible to this vulnerability because Liferay Portal does not uses Struts 1.x's ActionForm for any out of the box functionality. However, sites using Liferay Portal may be vulnerable if:

• Custom Struts 1.x plugin portlets have been deployed to the environment AND
• The custom Struts 1.x plugin portlet uses ActionForm.

More information about the vulnerability. Liferay Portal CE users are strongly advised to keep abreast of all new security advisories and apply associated fixes or workarounds to your Liferay deployments. To be notified of future releases, be sure to subscribe to the this forum and follow the known vulnerabilities list (e.g. via RSS).