Several critical JSON deserialization vulnerabilities have recently been identified affecting Liferay Portal versions 6.1, 6.2, 7.0, 7.1, and 7.2. These flaws allow remote code execution by unauthenticated users via the JSON web services API.
The Liferay portal is considered one of the best open source portals in the organizational dimensions, which is written in Java language.
These defects have been patched in the following versions of Liferay Portal:
- 2 GA6
- 0 GA7
- 1 GA4
- 2 GA2
These vulnerabilities include:
The JSONDeserializer function from the Flexjson library provides the possibility of creating arbitrary classes and calling arbitrary setter methods. In Liferay Portal 6.1 & 6.2, the Flexjson library is used for serializing and deserializing data. This library supports object binding that uses the setter methods of objects created for each class with a parameterless constructor.
- Unauthenticated Remote code execution via JSONWS (CVE-2020-7961)
The JSONWebServiceActionParametersMap function in Liferay Portal also provides the possibility of creating arbitrary classes and calling arbitrary setter methods. In Liferay Portal 7, the Jodd Json library has replaced the Flexjson library. This new library does not support specifying a class to deserialize json data. Instead, only the root object type can be specified and must be provided explicitly by a java.lang.Class object instance.
Exploit
The script to break into Liferay portals has been published through this vulnerability, which is available from the link below.
https://github.com/mzer0one/CVE-2020-7961-POC
Narrated by: cert.ir