Several critical JSON deserialization vulnerabilities have recently been identified affecting Liferay Portal versions 6.1, 6.2, 7.0, 7.1, and 7.2. These flaws allow remote code execution by unauthenticated users via the JSON web services API.
The Liferay portal is considered one of the best open source portals in the organizational dimensions, which is written in Java language.
These defects have been patched in the following versions of Liferay Portal:
These vulnerabilities include:
The JSONDeserializer function from the Flexjson library provides the possibility of creating arbitrary classes and calling arbitrary setter methods. In Liferay Portal 6.1 & 6.2, the Flexjson library is used for serializing and deserializing data. This library supports object binding that uses the setter methods of objects created for each class with a parameterless constructor.
The JSONWebServiceActionParametersMap function in Liferay Portal also provides the possibility of creating arbitrary classes and calling arbitrary setter methods. In Liferay Portal 7, the Jodd Json library has replaced the Flexjson library. This new library does not support specifying a class to deserialize json data. Instead, only the root object type can be specified and must be provided explicitly by a java.lang.Class object instance.
The script to break into Liferay portals has been published through this vulnerability, which is available from the link below.