Search Results

All Results 435
ソート
Resource Type
Applicable Versions
Deployment Approach
Capability
Feature
Security Managers, Vul ID: V-222936 STIG 
legacy
Issue Vul ID: V-222936 STIG is flagged when Java Security Managers are not enabled. It states that "The Java Security Manager must be enabled." Environment  DXP 7.1 Resolution Liferay DXP does not currently support...
Vulnerability issues related to the EJS version in Fragments Toolkit
legacy Troubleshooting
Issue Vulnerability issues (ejs template injection vulnerability) were reported related to the EJS version inside the yarn.lock file while building fragments using the fragments toolkit. The EJS version is...
Duplicate user errors when setting up a SAML Authentication to replace an existing Token-Based SSO
legacy Troubleshooting
Issue When trying to set up a SAML authentication to replace existing Token-Based SSO, there are errors that populate stating that the user and/or email address is already in use.  A user with company 1xxxx and email...
Can I integrate an additional Captcha Engine?
legacy
Issue Currently, Liferay offers 2 Captcha Engines out of the box: Simple Captcha and Google reCaptcha 2 We would like to use another Captcha service.   Environment Liferay DXP 7.4   Resolution At the moment it is not...
Malware detected in Liferay Bundle - eicar.jpg
legacy
Issue We were notified of a possible malware infection. The location is my extracted source code of a Liferay DXP bundle. The file in question is eicar.jpg Environment Liferay DXP 7.4 Resolution EICAR files can...
The Liferay is vulnerable to the CVE-2023-4863?
legacy
Issue How can I mitigate vulnerability with CVE-2023-4863 regarding Liferay DXP? Environment All environments. Resolution Liferay does not use the libwebp library, so are not vulnerable to CVE-2023-4863. ...
Is Liferay vulnerable to CVE-2023-33946
legacy Troubleshooting
Issue I would like to know if Liferay is vulnerable to CVE-2023-33946? Environment Liferay DXP 7.4 U1-U48 Resolution Yes, the Liferay is vulnerable to this CVE, the resolution is update to Liferay 7.4 U49 (or...
Does Apache Log4j Vulnerability CVE-2021-44832 affect Liferay ?
legacy Troubleshooting
Issue The Liferay uses the log4j-core Library which was reported to have a vulnerability. Environment Liferay DXP 7.1 Liferay DXP 7.2 until fix-pack 16 Liferay DXP 7.3 until SP3 Resolution Yes, the Liferay is...
LDAP Related Queries
legacy
Issue If the password is changed in the Active Directory, the user will still be able to log in to DXP? If we delete the user from Active Directory, the user will still be able to log in to DXP? How to import/ export...
Will a curl vulnerability impact Liferay DXP?
legacy
Issue There have been security announcements that are deemed to be a high-risk vulnerability that is caused by curl 8.4.0.   Environment DXP 7.3 Resolution Liferay DXP does not use the libcurl library. In conclusion,...
Email Address Validation for Forgot Password
Issue The Forgot Password option does not validate if the user enters a correct email address. You can enter anything and the field will accept it. Two types of validation are expected: Email format validation (to...
How to allow unauthenticated (guest user) requests for GraphQL
Troubleshooting
Issue I implemented ReactJS Widget that relies on GraphQL requests for custom object values, with a widget exposing object entries to the public. However, unauthenticated GrapQL requests are disabled by default and...
XSS Vulnerability present when using Web Content Article's source code
Troubleshooting
Issue We've observed a XSS Vulnerability present when using Web Content Article's source code.  This vulnerability appears to be present when involving the deployment of a payload via the source code.  Steps to...
SAML - Can you end the Identity Provider's session when the Service Provider's session times out?
legacy Troubleshooting
Issue We have Liferay configured as a SAML Service Provider (SP), and we use third-party software as the Identity Provider (IdP) Our IdP is used for multiple applications, so its session timeout is set for a...
Is integration of mTLS possible in Liferay?
legacy How To
Issue We are required to use mTLS (Mutual Transport Layer Security) for certain requests Is it possible to integrate mTLS with Liferay? Environment DXP 7.4 Quarterly Releases Resolution Yes, it is possible to...
Vulnerabilities for spring-web and spring-core
legacy
Issue Vulnerabilities remain unresolved in spring-web and spring-core, even after a fix was applied to spring-context. For spring-web: Vulnerable component: org.springframework:spring-web:5.3.39 For spring-core:...
Is Session Prediction Possible in Liferay
legacy
Issue Is it possible an attacker could predict the JSESSIONID and gain unauthorized access, referencing an example from a 'Session Prediction' article? Explanation of Issue Using the "Catalog" Page in Postman: If a...
Enabling both Liferay's default login and SAML login so that users can use either option
legacy How To
Issue I would like to configure and enable SAML login while also having Liferay's default login available to users so that they can have two options for logging in. Environment DXP 7.4+ Quarterly Release Resolution...
Resolving 401 Errors When Using Authorization Bearer Tokens in RestBuilder APIs
legacy Troubleshooting
Issue When making calls to a REST API service created with RestBuilder that includes the Authorization Bearer token header, the responses often return a 401 Unauthorized status. However, when the same service is...
CORS request is failing
legacy Troubleshooting
Issue If the user allows any origin (Access-Control-Allow-Origin: *) to access the resource, the CORS request fails. Steps to reproduce: 1. Start Liferay DXP 7.4 U90 2. Navigate to Control Panel > Instance...
I want to skip OpenID Connect provider selector at sign in if there is only one provider
legacy Troubleshooting
Issue We want to bypass the client selection screen because there is only one OpenID Client to choose.   Environment Quarterly Releases   Resolution There is a Feature Request opened for this which is currently under...
Is Liferay Vulnerable to CVE-2023-45960?
legacy
Issue I would like to know if Liferay is vulnerable to CVE-2023-45960?  Is Liferay affected by CVE-2023-45960? Environment Quarterly Release 2024.Q1.7 Resolution The NIST listing for CVE-2023-45960 has been withdrawn and...
User profile is visible when accessing the /web/test
legacy Troubleshooting
Issue When accessing localhost:8080/web/test, the user profile is visible to guest users. The concern is that the user data being accessible to guest users poses a security threat. Environment Liferay DXP 7.4...
Password syntax checking error does not appear when configuring with Minimum Lowercase 1 when creating a new account
Troubleshooting
Issue I have an issue with checking the password syntax. When they configure the password syntax with Minimum Lowercase 1, Minimum Symbols 1, and Minimum Uppercase 1, try to create an account for a guest user, type a...
Login URL Parameters Reported as Security Threat
legacy Troubleshooting
Issue Vulnerability Assessment and Penetration Testing (VAPT) reports the parameters passed in the login request as a security threat. How can these parameters be removed or mitigated? Environment Liferay DXP 7.4+...
Can Liferay pass User Roles to the Service Provider?
legacy
Issue In a SAML configuration where Liferay acts as the Identity Provider, is Liferay able to pass its User Roles to the Service Provider?   Environment Liferay 7.4   Resolution Yes, it is possible. Liferay will send...
Is there a release date for implementing the Content Security Policy (CSP) at Liferay?
legacy
Issue If CSP is in beta mode, how is Liferay protecting its system from vulnerability? Is there a timescale for when the CSP will be fully deployed in the portal? Once the CSP has been successfully implemented,...
Getting BadPaddingException errors in the logs after an upgrade
legacy Troubleshooting
Issue After upgrading Liferay DXP, javax.crypto.BadPaddingException errors appear in the logs when using 'Auto Login' feature ('Remember me'). Example error message: ERROR [AutoLoginFilter:247] Current URL /home...
"http://localhost:8080/o/oauth2/authorize" URL redirect to the Login Page
legacy Troubleshooting
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM). Issue When accessing the OAuth2 authorization URL...
Unexpected SAML calls: com.liferay.saml.internal.servlet.filter.SpSessionTerminationSamlPortalFilter.doProcessFilter
legacy Troubleshooting
Issue When navigating through the portal with SAML disabled, there are a few SAML-related filters that are still being processed, leading to database calls and causing slower performance. at...
Is it possible to offer both SAML and OIDC as SSO options?
legacy How To
Issue Both SAML and OpenID Connect(OIDC) can be configured on the same Liferay instance. However, the option to authenticate using OIDC is missing whenever SAML is enabled. Is it possible for a user to select either SSO...
Vulnerabilities reported in classes generated by Liferay Service Builder
legacy Troubleshooting
Issue While performing security scans, there are vulnerabilities found in custom classes that are generated by Liferay Service Builder. Environment Liferay DXP 7.4 Resolution Sometimes, these warnings are...
How to change the generated OTP from alphanumeric to numeric in multi-factor authentication?
legacy How To
NOTE: The following resolution requires customization and should only be implemented at the discretion of your team. Liferay Support will not be able to assist with designing or implementing customizations. Issue...
Vulnerability CVE-2024-52046 in Liferay DXP
legacy How To
Issue Is Liferay vulnerable to the vulnerability described in CVE-2024-52046? Environment Liferay DXP 7.3 and above Resolution Liferay uses the affected Apache Mina library (`mina-core`) only in LDAP-related code. If...
SAML Logout Issues: Multiple Login Entries and Optimistic Locking Exceptions
legacy Troubleshooting
Issue When a user logs out after authenticating via SAML, multiple login entries might be recorded in the audit logs. This can lead to HibernateOptimisticLockingException errors, particularly during...
SAML Authentication Error: "This message decoder only supports the HTTP POST method
legacy Troubleshooting
Issue The following SAML errors appear in the Liferay logs: ERROR [http-nio-8080-exec-5][BaseSamlStrutsAction:53] org.opensaml.messaging.decoder.MessageDecodingException: This message decoder only supports the...
In SAML setup user is not getting login in the SP and receiving warning on the UI
legacy Troubleshooting
Issue After setting up the SAML process, the user tries to log in receiving the warning below and not being logged in. Environment Liferay 2023.Q4.0 Resolution If users are setting up an identity provider as...
LIFERAY.HEADLESS.DELIVERY scope missing or delayed in OAuth 2 applications
legacy Troubleshooting
Issue The LIFERAY.HEADLESS.DELIVERY scope is missing or delayed in appearing when creating or managing OAuth 2 applications. The issue can occur intermittently, with the scope sometimes appearing after a delay of...
Audit Events filtered by date/time are not being exported accurately
legacy Troubleshooting
Issue When using using the Audit Export Feature, filters for date and time are not applied accurately in the resulting CSV file. The exported file may not include entries explicitly requested by the filter. For...
User did not provide a valid CSRF token Error
Troubleshooting
Issue Portlet Action requests intermittently returning a 403 error code. In the logs the following error message regarding invalid CSRF token gets printed whenever the 403 error is thrown. "User [user_id] did not provide...
Tomcat's vulnerability CVE-2023-44487
legacy
Issue Is DXP 7.4 affected by Tomcat's Rapid Reset CVE-2023-44487? Environment Liferay DXP 7.4 Resolution If user is not using Tomcat with DXP, then it is not affected by “Tomcat's Rapid Reset CVE-2023-44487”. If...
Is Liferay vulnerable to CVE-2024-38819: SpringFramework (spring-core-5.3.39)?
legacy
Issue CVE-2024-38819: Path traversal vulnerability in functional web frameworks (2nd report) is related to the usage of WebMvc.jar. Is Liferay vulnerable to this vulnerability? Environment Liferay DXP 7.3...
Enabling real-time antivirus scanning without asynchronous background scans
legacy How To
Issue We would like to enable real-time antivirus scanning for uploaded files but disable asynchronous background scanning of the document library. The issue arises because: Enabling...
High CPU and memory use with stacktraces associated to password encryption
legacy Troubleshooting
Issue The environment starts using a large amount of CPU and also memory. Reviewing thread dumps taking during that time, there are many threads associated to PBKDF2PasswordEncryptor.encrypt, such as:...
Embedding videos using basic web content
legacy Troubleshooting
Issue When we try to embed a video using <iframe> tags, during the creation the video displays, however after publishing the content and editing it again, the video is not displayed anymore and the source is updated...
Unable to get OpenID Connect's link to work after upgrading to a Quarterly Release
legacy Troubleshooting
Issue After upgrading to Quarterly Release 2023.Q3.4 from DXP 7.3, we've found that OpenID Connect is no longer working. The button is no longer populating within the UI even after enabling it using this article:...
Unable to extend user session on Weblogic
legacy Troubleshooting
Issue When I call Liferay.Session.extend(); from Liferay 7.4 running on Weblogic, the user session terminates. Environment DXP 7.4 Weblogic Resolution This behavior is resolved by LPS-190923. Please open a help...
AuditEvent not saved after migrating from Portal 6.2 to DXP 7.4
legacy Troubleshooting
Issue After migrating to DXP 7.4. If we use the portal normally, there aren't new entries in Audit_AuditEvents table. Environment Liferay DXP 7.4 Resolution Go to System Settings -> Audit -> Persistent...
How to extract the okta authorization token for each user?
legacy Troubleshooting
Issue Once users log in to Liferay, the user should get redirected to Okta. After successful authentication, Okta is supposed to return an authorization token for that specific user.  Concern: After successful Okta...
Is One Time Password's expiration configurable?
legacy
Issue When does One Time Password expire? Can you set the validity timeframe of the OTP? Environment DXP 7.2+ Resolution OTP is HTTP session based, if the session expires, OTP expires as well. And it can only be used...
I would like to control email notifications to Liferay strangers.
legacy How To
Issue How are strangers defined by Liferay? How can I control email notifications to strangers upon signup? Environment DXP 7.3+ Resolution The SAML property defining unknown users as strangers was introduced in DXP 7.3....
How to get rid of SSLHandshakeException?
legacy Troubleshooting
Issue When trying to access the site URL, the console displays the following exception, and the site is inaccessible. javax.net.ssl.SSLHandshakeException: Received fatal alert: handshakefailure...
Users who are not registered with Liferay application are able to log in
legacy Troubleshooting
Issue Users who are not registered with the Liferay application are able to log in even though they have no connections. Environment Liferay DXP 7.0 to 7.4 Resolution Users log into Liferay DXP by using...
Lodash Security Vulnerability
legacy Troubleshooting
Issue In Liferay, a vulnerable version of Lodash 4.17.14 is being used. Environment Liferay DXP 7.0 Resolution The observed behavior is a known issue LPE-17236 and has already been fixed in the latest fix...
SSO at site level
legacy
Issue Is there any OOTB option to configure SAML for two sites on the same instance? Whether creating a new instance for a site would help to configure SAML? Environment Liferay DXP 7.2 Liferay DXP 7.3...
Enabling information about server errors in the JSON response
legacy Troubleshooting
Issue There is no error messages from api json services. How to manage the serialization and access to  Json services In Liferay Portal 6.2 or DXP7.0 the server response is serialized and shows information related...
Need to hide Liferay Auth token as it is visible in Page source
legacy
Issue When using the burp suite tool to intercept traffic, the Liferay Auth token is visible in the Page Source, which could make the environment vulnerable in the user's view. Environment Liferay DXP 7.0+ Resolution...
When logging in with an OpenID Provider, the portal shows "Internal Server Error"
legacy Troubleshooting
Issue When configuring an OpenID Provider and trying to log in with an user, the callback to the portal shows an error message similar to the one below: Internal Server Error An error occurred while...
Is Liferay creating cookies site base?
legacy
Issue Is Liferay creating a cookies site base? If so, where exactly on the Liferay server would all the cookies be physically kept?  Environment Liferay DXP 7.1 Liferay DXP 7.2 Liferay DXP 7.3 Liferay DXP 7.4...
Authentication flow in Liferay when LDAP is enabled
legacy
Issue Liferay is configured to use LDAP When Liferay Authentication will happen? When LDAP Authentication will happen? Environment Liferay DXP 7.0 -7.4 Resolution LDAP authentication always happens before...