Major Liferay vulnerability allowing remote code execution

Affected versions:

Liferay Portal versions 6.1, 6.2, 7.0, 7.1, and 7.2. They allow unauthenticated remote code execution via the JSON web services API.

Fixed Liferay Portal versions are 6.2 GA6, 7.0 GA7, 7.1 GA4, and 7.2 GA2.

How to exploit Liferay CVE-2020-7961 : quick journey to PoC | Synacktiv

code white | Blog: Liferay Portal JSON Web Service RCE Vulnerabilities (codewhitesec.blogspot.com)

Workaround:

  1. Move liferay beyond a proxy apache or nginx
  2. Restrict access to api from apache mod jk or mod proxy:
    mod_jk config: 
    JkMount /servlet/* ajp13
    JkMount /*.jsp ajp13
    JkMount /* ajp13
    SetEnvIf Request_URI "/api/*" no-jk
    SetEnvIf Request_URI "/api/jsonws/*" no-jk
    mod proxy config
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPass /api!
    ProxyPass /api/jsonws!
  3. An extra step would be to block access to python agent, as most hackers are using this to exploit it: 
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^domain-name.com [NC]
    RewriteRule ^(.*)$ http://www.domain-name.com$1 [L,R,NC]
    RewriteCond %{HTTP_USER_AGENT} python-requests/2.23.0 [NC]
    RewriteCond %{HTTP_USER_AGENT} python-requests/2.25.0 [NC]
    RewriteRule .* - [F,L]
  • liferay, hack, vulnerability
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

 SSLHandshakeException: Received fatal alert: handshake_failure in old java 17X

Unfortunately the java 1.78 uses weak/unsecure ciphers and therefor it may not connect to sites...