DoS via large file upload

Description

PrimeFaces 6.2+ p:fileUpload

When used in concert with Liferay Faces Bridge, PrimeFaces 6.2+ p:fileUpload file upload validation can be bypassed allowing very large files to be uploaded which may be used in a denial of service (DoS) attack.

This vulnerability affects com.liferay.faces.bridge.impl-4.1.2 and com.liferay.faces.bridge.impl-4.1.1 versions which are compatible with:

  • Liferay Portal 6.2
  • Liferay Portal 7.0
  • Liferay Portal 7.1
  • Pluto Portal 2.0

 

RichFaces rich:fileUpload

When used in concert with Liferay Faces Bridge, RichFaces rich:fileUpload file upload validation can be bypassed allowing very large files to be uploaded which may be used in a denial of service (DoS) attack.

This vulnerability affects com.liferay.faces.bridge.impl-4.1.2 and all previous 4.x versions which are compatible with:

  • Liferay Portal 6.2
  • Liferay Portal 7.0
  • Liferay Portal 7.1
  • Pluto Portal 2.0

This vulnerability affects com.liferay.faces.bridge.impl-3.1.0 and all previous 3.x versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-4.2.5-ga6 and all previous 4.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.2.5-ga6 and all previous 3.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.1.5-ga6 and all previous 3.1.x-ga versions which are compatible with:

  • Liferay Portal 6.1
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.0.5-ga6 and all previous 3.0.x-ga versions which are compatible with:

  • Liferay Portal 6.0
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.0.5-legacy-ga6 and all previous 3.0.x-legacy-ga versions which are compatible with:

  • Liferay Portal 5.2
  • Pluto Portal 2.0

 

com.liferay.faces.bridge.uploadedFileMaxSize with IceFaces ace:fileEntry

When used in concert with Liferay Faces Bridge, com.liferay.faces.bridge.uploadedFileMaxSize context parameter file upload validation can be bypassed for IceFaces ace:fileEntry allowing very large files to be uploaded which may be used in a denial of service (DoS) attack.

This vulnerability affects com.liferay.faces.bridge.impl-4.1.2 and all previous 4.x versions which are compatible with:

  • Liferay Portal 6.2
  • Liferay Portal 7.0
  • Liferay Portal 7.1
  • Pluto Portal 2.0

This vulnerability affects com.liferay.faces.bridge.impl-3.1.0 and all previous 3.x versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-4.2.5-ga6 and all previous 4.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.2.5-ga6 and all previous 3.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.1.5-ga6 and all previous 3.1.x-ga versions which are compatible with:

  • Liferay Portal 6.1
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.0.5-ga6 and all previous 3.0.x-ga versions which are compatible with:

  • Liferay Portal 6.0
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.0.5-legacy-ga6 and all previous 3.0.x-legacy-ga versions which are compatible with:

  • Liferay Portal 5.2
  • Pluto Portal 2.0

 

com.liferay.faces.util.uploadedFileMaxSize with alloy:inputFile in Portlets

When used in concert with Liferay Faces Bridge, com.liferay.faces.util.uploadedFileMaxSize context parameter file upload validation can be bypassed for Alloy alloy:inputFile allowing very large files to be uploaded which may be used in a denial of service (DoS) attack.

This vulnerability affects com.liferay.faces.bridge.impl-4.1.2 and all previous 4.x versions which are compatible with:

  • Liferay Portal 6.2
  • Liferay Portal 7.0
  • Liferay Portal 7.1
  • Pluto Portal 2.0

This vulnerability affects com.liferay.faces.bridge.impl-3.1.0 and all previous 3.x versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-4.2.5-ga6 and all previous 4.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

This vulnerability affects liferay-faces-bridge-impl-3.2.5-ga6 and all previous 3.2.x-ga versions which are compatible with:

  • Liferay Portal 6.2
  • Pluto Portal 2.0

 

IceFaces 1.8 ice:inputFile

Please also note that if you are using IceFaces 1.8 ice:inputFile with Liferay Portal, the com.liferay.faces.bridge.uploadedFileMaxSize and com.liferay.faces.util.uploadedFileMaxSize context parameters will not provide validation since IceFaces 1.8 provides its own bridge-like mechanism, so Liferay Faces cannot provide file upload validation. Please use IceFaces 1.8 com.icesoft.faces.uploadMaxFileSize parameter to prevent very large files from being uploaded with IceFaces 1.8.

Severity

Severity 2

Notes

To install, place patch in each of your Liferay Faces WARs in the WEB-INF/lib directory.

The dependency can be included via Maven, Gradle, or Ivy.

In a Maven project pom.xml <dependencies> section, add the following <dependency>:

<dependency>
    <groupId>com.liferay.faces.patches</groupId>
    <artifactId>com.liferay.faces.lsv.485.patch</artifactId>
    <version>1.0.0</version>
</dependency>

In a Gradle project build.gradle dependencies section, add the following dependency:

compile group: 'com.liferay.faces.patches', name: 'com.liferay.faces.lsv.485.patch', version: '1.0.0'

In an Ant-Ivy project ivy.xml section, add the following :

<dependency org="com.liferay.faces.patches" name="com.liferay.faces.lsv.485.patch" rev="1.0.0" />

 

Publication date: Tue, 27 Aug 2019 21:46:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.