Liferay Faces Alloy DoS via large file upload in Servlet 3.0+ environment (non-Portlet vulnerability)

Description

Liferay Faces Alloy allows attackers to upload very large files which may be used in a denial of service attack in a Servlet (non-Portlet) environment.

 

Non-Portlet Vulnerability

This vulnerability does not affect portlets using Liferay Faces Alloy. However, a recently discovered and fixed vulnerability causes com.liferay.faces.util.uploadedFileMaxSize to be ignored in a portlet environment as well. For more information see the Faces vulnerability announcement: DoS via large file upload.

Severity

Severity 2

Fixed Version(s)

Notes

To install, remove any old versions of Liferay Faces Alloy and place the fixed version of Liferay Faces Alloy in the appropriate location.

The dependency can be included via Maven, Gradle, or Ivy.

 

In a Maven project pom.xml <dependencies> section, add the following <dependency>:

<dependency>
    <groupId>com.liferay.faces</groupId>
    <artifactId>com.liferay.faces.alloy</artifactId>
    <version>3.0.2</version>
</dependency>

In a Gradle project build.gradle dependencies section, add the following dependency:

compile group: 'com.liferay.faces', name: 'com.liferay.faces.alloy', version: '3.0.2'

In an Ant-Ivy project ivy.xml section, add the following :

<dependency org="com.liferay.faces" name="com.liferay.faces.alloy" rev="3.0.2" />

Publication date: Tue, 27 Aug 2019 21:54:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.