Hi, does anybody know if this struts issue affects liferay in some way?
https://cwiki.apache.org/confluence/display/WW/S2-052

According to Liferay support: Not affected. Liferay is using an old version of Struts in an extremely limited fashion.

Custom plugins might be affected if they use one of the vulnerable versions of Struts2

Hi, does anybody know if this struts issue affects liferay in some way?
https://cwiki.apache.org/confluence/display/WW/S2-052

Liferay is not susceptible to any of these reported Struts issues.

Liferay internally uses Struts 1 for routing, but the previously reported Struts 1 vulnerabilities were in areas not used in Liferay's Struts implementation (i.e. the inclusion of raw form values in constructing ActionMessage responses) because Liferay is not using any of those Struts 1 features. It is only for internal dispatching, none of the other Struts 1 features are used by Liferay.

Liferay does not use Struts 2 at all. So no Struts 2 vulnerabilities, period.

Now all of that said, if you as a developer have created Struts 1 portlets or Struts 2 portlets, you could be vulnerable, but the vulnerabilities would have been introduced by your developers and are totally your responsibility to identify and resolve.











Come meet me at Devcon 2017 or 2017 LSNA!