{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-022.pdf"
    },
    "title": "Liferay Portal - Exploited Remote Code Execution Vulnerabilities",
    "serial_number": "2020-022",
    "publish_date": "17-04-2020 08:16:00",
    "description": "On March 20, 2020, Code White released two proof-of-concepts for vulnerabilities on Liferay Portal. These vulnerabilities were patched by Liferay. However, CERT-EU is aware of these vulnerabilities being actually exploited by malicious threat actors to gain illicit access to unpatched exposed servers.<br>This second vulnerability is massively scanned for exploitation and CERT-EU is aware of ongoing campaigns exploiting this vulnerability as several proof of concept are available online. It is strongly recommended to check the version of Liferay portal being used and look for traces of intrusion on the potentially impacted servers.",
    "url_title": "2020-022",
    "content_markdown": "---\ntitle: 'Liferay Portal -- Exploited Remote\u00a0Code\u00a0Execution Vulnerabilities'\nversion: '1.0'\nnumber: '2020-022'\ndate: 'April 17, 2020'\n---\n\n_History:_\n\n* _17/04/2020 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nOn March 20, 2020, **Code White** released two proof-of-concepts for vulnerabilities on Liferay Portal [1]. These vulnerabilities were patched by Liferay [2]. However, CERT-EU is aware of these vulnerabilities being actually exploited by malicious threat actors to gain illicit access to unpatched exposed servers.\n\nThis second vulnerability is massively scanned for exploitation [5] and CERT-EU is aware of ongoing campaigns exploiting this vulnerability as several proof of concept are available online [6]. It is strongly recommended to check the version of Liferay portal being used and look for traces of intrusion on the potentially impacted servers.\n\n# Technical Details\n\nThe vulnerabilities concern JSON deserialization, allowing remote code execution on the target. The first vulnerability (CST-7111) [3] was reported in December 2018 and is due to a flaw in the `Flexjson` library. The second vulnerability (CST-7205/CVE-2020-7961) [4] was reported in June 2019 and is due to a flaw in the library replacing the `Flexjson` library (`Jodd Json`). In this case, one of the calls allows variable type definition making it possible for a dangerous method to be called, ultimately leading to remote code execution.\n\nDeserialization vulnerabilities are due to structured data being rebuild into an object in a faulty manner, allowing an attacker to inject malicious code on the target when the object is rebuild.\n\nThe first vulnerability is located in the `Flexjson` library used for serializing and deserializing. The insecure feature allow specifying the class to deserialize within the JSON data itself.\n\nThe second vulnerability is due to two insecure features:\n\n * In the `Jodd Json` library, one call allows in `JSONWebServiceActionParameters` user-set types (`parameterType`).\n * The `JSONWebServiceActionParameters` object is passed to a web service call of Liferay Portal where the typename is used. By using a specially crafted json object, any type can be specified and so any method can be invoked.\n\n# Products Affected\n\n* Liferay Portal versions 6.1\n* Liferay Portal versions 6.2\n* Liferay Portal versions 7.0\n* Liferay Portal versions 7.1\n* Liferay Portal versions 7.2\n\n# Recommendations\n\nCheck the patch level of servers using Liferay Portal. The following versions contain the patches:\n\n* Liferay Portal versions 6.2 GA6\n* Liferay Portal versions 7.0 GA7\n* Liferay Portal versions 7.1 GA4\n* Liferay Portal versions 7.2 GA2\n\nIn case the server was vulnerable at some point of time (especially after March 20, 2020), it is also recommended to check the following events:\n\n* Unusual access to JSON web service API (`/api/jsonws`).\n* In application logs, check for execution of `getRuntime().exec()`.\n* If end-point logs are available, check unusual process being spawned by Java binaries.\n\n# References\n\n[1] <https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html>\n\n[2] <https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1>\n\n[3] <https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/113765197>\n\n[4] <https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271>\n\n[5] <https://twitter.com/bad_packets/status/1244866189408362498>\n\n[6] <https://github.com/mzer0one/CVE-2020-7961-POC>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>17/04/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 20, 2020, <strong>Code White</strong> released two proof-of-concepts for vulnerabilities on Liferay Portal [1]. These vulnerabilities were patched by Liferay [2]. However, CERT-EU is aware of these vulnerabilities being actually exploited by malicious threat actors to gain illicit access to unpatched exposed servers.</p><p>This second vulnerability is massively scanned for exploitation [5] and CERT-EU is aware of ongoing campaigns exploiting this vulnerability as several proof of concept are available online [6]. It is strongly recommended to check the version of Liferay portal being used and look for traces of intrusion on the potentially impacted servers.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerabilities concern JSON deserialization, allowing remote code execution on the target. The first vulnerability (CST-7111) [3] was reported in December 2018 and is due to a flaw in the <code>Flexjson</code> library. The second vulnerability (CST-7205/CVE-2020-7961) [4] was reported in June 2019 and is due to a flaw in the library replacing the <code>Flexjson</code> library (<code>Jodd Json</code>). In this case, one of the calls allows variable type definition making it possible for a dangerous method to be called, ultimately leading to remote code execution.</p><p>Deserialization vulnerabilities are due to structured data being rebuild into an object in a faulty manner, allowing an attacker to inject malicious code on the target when the object is rebuild.</p><p>The first vulnerability is located in the <code>Flexjson</code> library used for serializing and deserializing. The insecure feature allow specifying the class to deserialize within the JSON data itself.</p><p>The second vulnerability is due to two insecure features:</p><ul><li>In the <code>Jodd Json</code> library, one call allows in <code>JSONWebServiceActionParameters</code> user-set types (<code>parameterType</code>).</li><li>The <code>JSONWebServiceActionParameters</code> object is passed to a web service call of Liferay Portal where the typename is used. By using a specially crafted json object, any type can be specified and so any method can be invoked.</li></ul><h2 id=\"products-affected\">Products Affected</h2><ul><li>Liferay Portal versions 6.1</li><li>Liferay Portal versions 6.2</li><li>Liferay Portal versions 7.0</li><li>Liferay Portal versions 7.1</li><li>Liferay Portal versions 7.2</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Check the patch level of servers using Liferay Portal. The following versions contain the patches:</p><ul><li>Liferay Portal versions 6.2 GA6</li><li>Liferay Portal versions 7.0 GA7</li><li>Liferay Portal versions 7.1 GA4</li><li>Liferay Portal versions 7.2 GA2</li></ul><p>In case the server was vulnerable at some point of time (especially after March 20, 2020), it is also recommended to check the following events:</p><ul><li>Unusual access to JSON web service API (<code>/api/jsonws</code>).</li><li>In application logs, check for execution of <code>getRuntime().exec()</code>.</li><li>If end-point logs are available, check unusual process being spawned by Java binaries.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html\">https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1\">https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/113765197\">https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/113765197</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271\">https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/bad_packets/status/1244866189408362498\">https://twitter.com/bad_packets/status/1244866189408362498</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/mzer0one/CVE-2020-7961-POC\">https://github.com/mzer0one/CVE-2020-7961-POC</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}