Security Vulnerability /api/jsonws - Liferay Versions - Ask

Security Vulnerability /api/jsonws - Liferay Versions

Fredi B, modified 5 Years ago.

Security Vulnerability /api/jsonws - Liferay Versions

Junior Member Posts: 69 Join Date: 4/1/20 Recent Posts

Hello Liferay Friends,
currently we are investigating the possibility to use Liferay CE as Portal solution.

Sadly one of our security managers came across this exploit of the liferay /jsonws API that enables attackers to even get a remote shell on the server.
https://www.synacktiv.com/posts/pentest/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html

Can you provide further information if this security problem is not existing on 7.1.3 GA4 or 7.2.1 GA2 because these two versions seem to fit our requirements.

Greetings,
Fredi

Christoph Rabel, modified 5 Years ago.

RE: Security Vulnerability /api/jsonws - Liferay Versions

Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts

Please read:
https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1
7.2.1 GA2 is not affected, a patch exists for 7.1 GA4.
Personal opinion: For a new project I would go for 7.3. There were lots of nice fixes and improvements.

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

Security Vulnerability /api/jsonws - Liferay Versions