[LRDOCS-8107] The config files provided in the LSV-658 Help Center Article do not work for 7.0 - Liferay Issues

XML

Word

Printable

Details

Type: Task
Status: Open
Priority: Minor
Resolution: Unresolved
Fix Version/s: 7.0.x
Component/s: Product Team App Security
Labels:
None

Type of Documentation:
User

Description

The freemarker and velocity template config files that are provided in the LSV-658 article (https://help.liferay.com/hc/en-us/articles/360044036131-LSV-658-Remote-code-execution-RCE-with-FreeMarker-Velocity-templates-CVE-2020-13445-#Solution-and-Mitigation-Information) do not apply to Liferay 7.0 environments.

When using the provided config files the Liferay logs throw the following errors:

2020-07-10 09:03:45.327 ERROR [Start Level: Equinox Container: 0031eb28-b6c2-001a-1e99-9c2cbc23c347][org_apache_felix_fileinstall:97] Failed to install artifact: /opt/liferay/liferay-dxp-digital-enterprise-7.0-sp6/osgi/configs/com.liferay.portal.template.freemarker.configuration.FreeMarkerEngineConfiguration.config
 java.io.IOException: Unexpected token 34; expected: 61 (line=1, pos=3)

2020-07-10 09:03:45.330 ERROR [Start Level: Equinox Container: 0031eb28-b6c2-001a-1e99-9c2cbc23c347][org_apache_felix_fileinstall:97] Failed to install artifact: /opt/liferay/liferay-dxp-digital-enterprise-7.0-sp6/osgi/configs/com.liferay.portal.template.velocity.configuration.VelocityEngineConfiguration.config
 java.io.IOException: Unexpected token 34; expected: 61 (line=5, pos=3)

I have confirmed these findings with our Technical Support Team and they had the following information to share (https://issues.liferay.com/browse/LPP-38257):

The configuration values work for version 7.1 and later. This is most likely due to a difference in version of Apache Felix. This difference in how configurations are formatted can also be seen when exporting the configurations from System Settings.

When using the following format for the configuration files, the errors are resolved:

resourceModificationCheck="60000"
allowedClasses=[""]
localizedLookup="false"
restrictedVariables=["httpUtilUnsafe","objectUtil","serviceLocator","staticFieldGetter","staticUtil","utilLocator"]
macroLibrary=["FTL_liferay.ftl\ as\ liferay"]
restrictedMethods=["com.liferay.portal.model.impl.CompanyImpl#getKey"]
restrictedClasses=["com.liferay.portal.spring.context.*","io.undertow.*","java.lang.Class","java.lang.ClassLoader","java.lang.Compiler","java.lang.Package","java.lang.Process","java.lang.Runtime","java.lang.RuntimePermission","java.lang.SecurityManager","java.lang.System","java.lang.Thread","java.lang.ThreadGroup","java.lang.ThreadLocal","org.apache.*","org.glassfish.*","org.jboss.*","org.springframework.*","org.wildfly.*","weblogic.*"]
templateExceptionHandler="rethrow"

restrictedMethods=["com.liferay.portal.model.impl.CompanyImpl#getKey"]
restrictedClasses=["java.lang.Class","java.lang.ClassLoader","java.lang.Compiler","java.lang.Package","java.lang.Process","java.lang.Runtime","java.lang.RuntimePermission","java.lang.SecurityManager","java.lang.System","java.lang.Thread","java.lang.ThreadGroup","java.lang.ThreadLocal"]
restrictedVariables=["httpUtilUnsafe","serviceLocator","staticFieldGetter","utilLocator"]
directiveIfToStringNullCheck="false"
resourceModificationCheckInterval="60000"
restrictedPackages=["com.liferay.portal.spring.context","com.ibm","io.undertow","java.lang.reflect","org.apache","org.glassfish","org.jboss","org.springframework","org.wildfly","weblogic"]
velocimacroLibrary=["VM_global_library.vm","VM_liferay.vm"]
loggerCategory="org.apache.velocity"
logger="org.apache.velocity.runtime.log.SimpleLog4JLogSystem"

Attachments

Activity

People

Assignee:: Rich Sezov

Reporter:: Ryan Snuggs

Participants of an Issue:: Rich Sezov, Ryan Snuggs

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 16/Jul/20 12:34 PM

Updated:: 16/Jul/20 12:34 PM

Packages

Version	Package
7.0.x