- Liferay Portal < 7.3.1 Information Disclosure Vulnerability
- Liferay Portal < 7.3.3 DoS Vulnerability
our actual software is not vulnerable and openvas considering it as vulnerable.
you will see both the issues were related to Liferay 7.X.X or Liferay 6.2 EE, Where we are running Liferay CE GA6
So both the mentioned vulnerability doesn’t apply to us.
Could you please help with this this?
Thanks for the reply, but if I understand correctly, the shared NVD is also pointing to Liferay portal 7.X.X, Whereas @Mausam is referring that they don’t run Liferay portal 7.
https://nvd.nist.gov/vuln/detail/CVE-2020-15839 --> https://issues.liferay.com/browse/LPE-17055
Also, I have checked this NVD and I can see that Liferay GA6 is not impacted by this vulnerability. So do you think Openvas is detecting incorrectly.
Welcome at this community portal @anant.saraswat and @Mausam
Could you elaborate why you think that Liferay 6.x isn’t affected?
The official vendor advisories linked in both VTs are clearly stating “Liferay Portal before 7.3.1” respectively “Liferay Portal before 7.3.3”:
without any notes that 6.x isn’t affected or that only 7.x is affected. The same is also valid for the previous linked NVD entry which states “Liferay Portal before 7.3.3” with an assigned CPE:
cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:* Up to (excluding) 7.3.3
In such cases it needs to be assumed that all versions and not only a specific branch like 7.x is affected.
If in doubt please contact your vendor asking for clarification.
Thanks @cfi, I can see what you are referring, but it’s kinda confusing. Because if I check the link of jira task mentioned in NVD, it says the affected version, and I can’t see Liferay 6.X CE in that list.
From my experiences the “Affects Version/s:” in Jira issues (not only specific to Liferay but to many other projects as well) don’t fully reflect all affected versions and isn’t a trustworthy source for affected versions.
Most projects are only adding the affected versions which are currently supported in that column. In the case of Liferay Portal AFAICT only the 7.x versions of the Liferay Portal is still supported, at least the CE 6.2 is EOL since years:
Thanks @cfi and @Lukas for your help on this issue, I will further check how can we assure that Liferay 6 CE instance is secured against these vulnerabilities.
Thanks. Feel free to share your outcome and an official statement of the vendor if 6.x versions are affected and we will happily update the related VTs if required.