-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 7.0 DE (7.0.10), 7.1 DXP (7.1.10)
-
Component/s: Core Infrastructure, Security Vulnerability
-
Business Value:3
-
CVSS Base Score:3.7
-
CVSS Vector String:CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
-
7.0 Fix Pack Version:83
-
7.1 Fix Pack Version:12
Description
The open redirect protection component in Liferay DXP 7.1 and DXP 7.0 is vulnerable to denial of service (DoS) attacks via requests to domains whose DNS server is unresponsive.
Workaround
DXP is only vulnerable when 'redirect.url.security.mode' is set to 'ip' (default). The workaround for this vulnerability is to set the property 'redirect.url.security.mode' to 'domain' and configure the property 'redirect.url.domains.allowed'.
Solution Notes
The following properties have been added:
portal.properties
##
## DNS
##
#
# Configure the seconds to wait for resolving an external domain. This limit
# helps prevent DoS attacks when trying to resolve an external domain. By
# default, the Oracle Java implementation has a 15 second timeout for DNS
# queries, so you must enter a number of less than 15.
#
# Env: LIFERAY_DNS_PERIOD_SECURITY_PERIOD_ADDRESS_PERIOD_TIMEOUT_PERIOD_SECONDS
#
dns.security.address.timeout.seconds=2
#
# Configure the maximum number of threads when resolving an external domain.
# This limit helps prevent DoS attacks.
#
# Env: LIFERAY_DNS_PERIOD_SECURITY_PERIOD_THREAD_PERIOD_LIMIT
#
dns.security.thread.limit=10