Unrelated Apps, Libraries and Plugins
Often when there's a major security problem on the Internet we, as surely most vendors do, get innundated with requests asking if LiquidFiles (in our case) is vulnerable or not. Most often these issues are related to functions that are not and have never been used by LiquidFiles such as anything that uses Java or PHP.
The following is a list of some security issues that are not related to LiquidFiles that we've been frequently asked about:
- LiquidFiles has never used the Pivotal Spring Framework and is therefore not vulnerable to CVE-2010-1622, CVE-2018-1273, CVE-2022-22963, CVE-2022-22965 and similar other related to Spring.
- LiquidFiles has never used Log4J and is therefore not vulnerable to CVE-2021-44228.
- LiquidFiles does not use OpenSSL v3.x and is therefore not vulnerable to CVE-2022-3786 or CVE-2022-3602.
Also a general reminder, it's always a good idea to keep LiquidFiles up-to-date as it will improve your security in general. The default configuration and our recommendation is to enable automatic updates of LiquidFiles. This is configurable in Admin → System → Updates where you can also update LiquidFiles to the latest release.
The recommendation to enable automatic updates is especially true if you find your installed LiquidFiles version more than a few releases behind the current. Surely the potential benefit of not enabling automatic updates is negated by the fact that you're consistently not running the latest stable version will the most up-to-date security fixes installed.