Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10), 7.1 DXP (7.1.10)
-
Scheduled
-
65
-
3
Description
https://help.liferay.com/hc/en-us/articles/360028821571
Liferay DXP 7.0, Liferay DXP 7.1, Liferay Portal 6.2 EE and Liferay Portal 6.1 EE is vulnerable to remote code execution using Web Content/DDM templates.
Solution Notes
- DXP: Default list of "Restricted Classes" for FreeMarker Engine and Velocity Engine configurations in System Settings have been modified: added java.lang.Compiler|java.lang.Package|java.lang.Process|java.lang.Runtime|java.lang.RuntimePermission|java.lang.SecurityManager|java.lang.System|java.lang.ThreadGroup|java.lang.ThreadLocal. Deployments using a customized list should be reviewed to apply the changes.
- 6.2: The following portal properties have been updated as shown below. Deployments using a customized list should be reviewed to apply the changes.
freemarker.engine.restricted.classes=\ java.lang.Class,\ java.lang.ClassLoader,\ java.lang.Compiler,\ java.lang.Package,\ java.lang.Process,\ java.lang.Runtime,\ java.lang.RuntimePermission,\ java.lang.SecurityManager,\ java.lang.System,\ java.lang.Thread,\ java.lang.ThreadGroup,\ java.lang.ThreadLocal velocity.engine.restricted.classes=\ java.lang.Class,\ java.lang.ClassLoader,\ java.lang.Compiler,\ java.lang.Package,\ java.lang.Process,\ java.lang.Runtime,\ java.lang.RuntimePermission,\ java.lang.SecurityManager,\ java.lang.System,\ java.lang.Thread,\ java.lang.ThreadGroup,\ java.lang.ThreadLocal