Search Results

Issue When trying to download a quarterly release from Liferay's Help Center we are getting a browser error that says 'Your connection is not private... Attackers might be trying to steal your information...' Environment Quarterly Release 2024.Q1 Resolution This can often be caused by an...

Issue Unable to login with OpenID from the Sign-In portlet: ERROR [http-nio-8080-exec-2][OpenIdConnectLoginRequestMVCActionCommand:190] Unable to process the OpenID Connect login: java.lang.IllegalStateException: Resource URI must be absolute and with no query or fragment:...

Issue Our security team would like to know whether Liferay DXP 7.1 and DXP 7.3 uses any of the following cipher keys? DES, 3DES, IDEA or RC2 Environment Liferay DXP 7.1 Liferay DXP 7.3 Resolution The algorithms listed above are not being used in Liferay DXP 7.1 and 7.3 by default. You...

Issue How can I mitigate vulnerability with CVE-2023-49070 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the Apache OFBiz, so Liferay is not impacted by this vulnerability. Additional Information CVE-2023-49070, content:...

Issue Could you please provide us with a list of Database Permissions required for Liferay to function? (We are optimizing our application security concerning the Database) Environment Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution Liferay requires reading...

Issue LOGOUT event is not being audited when SAML SLO is enabled. Environment Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4 Resolution This happens because LogoutPreAction and LogoutPostAction classes do not get the User's userId due to unauthenticated session issue. This is a known...

Issue From time to time, error messages like the following appear in logs: 2024-02-14 13:31:55.099 ERROR [http-nio-8080-exec-120][OpenIdConnectFilter:132] Unable to process OpenID Connect authentication response: Requested value "yIH9jiIpdpuACAYf7NdNERUksBJZvNOoi-knjn7BOo0" and approved...

Issue When performing a network scan on a Liferay PaaS environment, ports 80, 443, and others appear to be in open state. Will this allow HTTP requests to be successful? Environment Liferay PaaS Resolution This behavior is expected and does not represent a security threat. Liferay PaaS...

Issue Certain property values need to be hidden in the Control Panel.  Environment DXP 7.4 Resolution To obfuscate the value of a portal property and have it appear as a string of asterisks (****) in the Control Panel, you have to include the name of that portal property in the...

Issue The version of bootstrap-select 1.12.4 is vulnerable to attacks. To overcome this, bootstrap-select should be upgraded to a non-vulnerable version. Environment Liferay DXP 7.3  Resolution Liferay does not utilize the 'bootstrap-select' library anywhere. This library does not come...

Issue Emails are not sent out from Liferay In the log, we see the following error: liferay[liferay-7] [dxp] ERROR [liferay/mail-6][MailEngine:74] Unable to send message: 535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully....

Issue We will do some Automation tests in our QA environment and would like to know if it is possible to bypass CAPTCHA using configuration settings without having to disable it. Environment Liferay DXP 7.4 Resolution A way out of the box to not require CAPTCHA for authenticated users...

Issue We are trying to use the Reset Password functionality, but every time we enter the captcha text correctly, we always get an error saying: "Text verification failed". We noticed this same behavior on other pages where captcha is present, e.g. on Forms. Environment DXP 7.4 2023.Q3...

Issue This security vulnerability (CVE-2023-46589) has been reported, and it is fixed in Tomcat 9.0.83. However, our current Liferay DXP 7.4 update 67 has a 9.0.71 Tomcat version. Environment Liferay DXP 7.4 Resolution To mitigate this vulnerability, update Liferay DXP 7.4 to Liferay DXP...

Issue We have found the following article CVE-2024-25145 Stored XSS with search results if highlighting is disabled, however it does not specify whether Liferay 6.2 EE 173 is affected or not. Environment Liferay 6.2 EE 173 Resolution Liferay 6.2 EE 173 is not affected by CVE-2024-25145....

Issue Currently, SAML is not designed to be utilized to send an attribute that can be used to assign site roles. Environment Quarterly Releases Resolution This is an ongoing task, LPD-6336, for Liferay. Liferay is planning on implementing a form of this in the future but this will be...

Issue When configuring authentication using OpenID Connect, login fails and the following error is reported: Unable to validate tokens: Signed JWT rejected: Another algorithm expected, or no matching key(s) found Environment DXP 7.3 DXP 7.4 Using Apereo CAS as OpenID Provider Resolution...

Issue When the user tries to access the URL: 'http://localhost:8080/c/', even if the 'c' page doesn't exist, it redirects to the login page instead of a 404 page not found. Environment Liferay DXP [all versions] Resolution In the URL, the prefix "c" designates a unique portal access...

Issue We would like to know whether there are any strings to search for in log files, to check if any of the following vulnerabilities have been exploited in our environment? LSV-1237 / CVE-2023-42628 LSV-1236 / CVE-2023-42627 LSV-1194 / CVE-2023-44310 Environment Liferay DXP 7.4...

Issue Users are facing intermittent login issues in the SAML environment; however, the below error is observed frequently in their log files: DEBUG [default task-73687][BaseSamlStrutsAction:61] null com.liferay.saml.persistence.exception.DuplicateSamlIdpSsoSessionException: Duplicate...

Issue This security vulnerability (CVE-2023-28708) has been reported, and it is fixed in Tomcat 9.0.72. However, our current Liferay DXP 7.3 SP1 has a 9.0.40 Tomcat version. Environment Liferay DXP 7.3 Resolution To mitigate this vulnerability, update Liferay DXP 7.3 to Liferay 7.3...

Issue I would like to increase our protection from man in the middle attacks by obfuscating our site's HTML. Is there a method for this already implemented in Liferay? Environment DXP 7.0+ Resolution There is no obfuscation performed, and implementing it is not under consideration....

Issue When the user tries to access the URL: 'http://localhost:8080/language', even if the language page doesn't exist, it shows a 403 Forbidden error on UI instead of a 404 page not found. Logs error: ERROR [WebContainer : 19][LanguageServlet:64] Invalid authentication token received...

Issue When configuring reCAPTCHA v3 and testing it on the "Forgot Password" page, the following error message is reported: "ERROR for site owner: Invalid site key". Environment Liferay DXP 7.2+ Resolution Liferay does not currently support reCAPTCHA v3. To solve the issue, configure...

Issue You might encounter an error when using OpenID Connect, and users who are not yet been registered to Liferay are unable to login as they are identified as strangers. The error appears as the company.security.strangers is set to false You can also check this on the UI, by navigating...

Issue To enable X-Xss-Protection, add the below property in system-ext.properties http.header.secure.x.xss.protection=1; mode=block and restarted the server. But it is not working in the Liferay. Environment Liferay DXP 7.4 Resolution The HTTP header X-XSS-Protection set to 1 by default...

Issue How to enable the cookie preference handling as well as the configuration options for both the banner and the consent panel. Environment Liferay DXP 7.4 Resolution This feature was introduced in the Liferay DXP 7.4 update 66. To enable this option, follow the below steps: Navigate...

Issue We have integrated SAML with our Liferay configuration. We have noticed that after a User logs out, their session remains active in Liferay. Environment Liferay DXP 7.3 Resolution This issue may occur if the 'SameSite' attribute in the browser cookie is set to 'Strict'. To resolve...

Issue After enabling CSRF Tokens, a p_auth token is appended to URLs, as expected. However, we noticed that if we manually remove this from the end of a URL and hit enter, we are still able to access the page, even though p_auth is now missing from the request. Does this mean CSRF...

Issue We have enabled LDAP authentication, checking it as required and we have unchecked Ignore User Search Filter for Authentication. With this configuration applied the administrator users can login even if they do not exist in LDAP. Environment DXP 7.4 Resolution This is the expected...

Issue How to add the sameSite attribute as 'Strict' on the cookies JSESSIONID,COOKIE_SUPPORT,GUEST_LANGUAGE_ID on JBoss EAP 7.2 Environment Liferay DXP 7.4 JBoss EAP 7.2 Resolution In JBoss, navigate to jboss/standalone/configuration/standalone.xml. Edit standalone.xml and...

Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue Requests to Liferay with an invalid HOST request HTTP header that does not match a configured Site URL returns the default site...

Issue When configuring CORS headers in System Settings we are seeing that access-control-allow-origin header doesn't always have the configured value. Environment Liferay DXP 7.4 Resolution According to the specification, if the request is valid for cors and it has a "Origin" header,...

Issue Vul ID: V-222936 STIG is flagged when Java Security Managers are not enabled. It states that "The Java Security Manager must be enabled." Environment  DXP 7.1 Resolution Liferay DXP does not currently support enabling a security manager, and there are currently no alternative...

Issue Vulnerability issues (ejs template injection vulnerability) were reported related to the EJS version inside the yarn.lock file while building fragments using the fragments toolkit. The EJS version is below 3.1.9 in many places in this yarn.lock file. Environment Liferay DXP 7.4...

Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email address test@liferay.com is already in use Updating the email address...

Issue Currently, Liferay offers 2 Captcha Engines out of the box: Simple Captcha and Google reCaptcha 2 We would like to use another Captcha service.   Environment Liferay DXP 7.4   Resolution At the moment it is not possible to integrate another Captcha Engine out of the box. There is...

Issue We were notified of a possible malware infection. The location is my extracted source code of a Liferay DXP bundle. The file in question is eicar.jpg Environment Liferay DXP 7.4 Resolution EICAR files can be used to verify antivirus integration, and to see if the AV correctly picks...

Issue How can I mitigate vulnerability with CVE-2023-4863 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the libwebp library, so are not vulnerable to CVE-2023-4863.  Additional Information CVE-2023-4863, content:...

Issue I would like to know if Liferay is vulnerable to CVE-2023-33946? Environment Liferay DXP 7.4 U1-U48 Resolution Yes, the Liferay is vulnerable to this CVE, the resolution is update to Liferay 7.4 U49 (or higher) Or create a hotfix with the following LSV-1154 Additional Information...