Submit Feedback
Legacy Knowledge Base
Published Sep. 10, 2025

Is Liferay vulnerable to CVE-2024-7254?

Written By

Dia Seung

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

Issue

  • I would like to know if Liferay is vulnerable to CVE-2024-7254.
  • Is Liferay affected by CVE-2024-7254?
  • This article outlines the concerns of CVE-2024-7254 vulnerability with respect to the Liferay DXP.

Environment

  • Liferay DXP Quarterly Release
  • 2024.q3.1

Resolution

  • CVE-2024-7254 requires protobuf-java version to be upgraded to 3.25.5 or higher to mitigate.
  • To successfully upgrade all protobuf-java usage in Liferay DXP, both fix LPD-37739 and LPD-39249 will be necessary.  Please upgrade to 2024.Q3.6 or higher, or open a Support ticket to request a hotfix.
  • The elasticsearch-sidecar version 7.17.24 and lower may be vulnerable as well, but since the sidecar should not be used in production, you can remove it from the bundle or manually upgrade.
    • To remove sidecar from a Liferay bundle, you can use the following steps:
      1. Delete Liferay caches:
        1. Delete the [Liferay_Home]/osgi/state folder.
        2. Empty the [Liferay_Home]/tomcat/temp folder
        3. Empty the [Liferay_Home]/tomcat/work folder
      2. Delete [Liferay_Home]/elasticsearch-sidecar/; and,
      3. Delete the indices (in [Liferay Home]/data/elasticsearch7)
    1.  

Additional Information

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?