1. Home
  2. Development
  3. RE: Liferay 7.1.2 GA2 - targeted by malware

RE: Liferay 7.1.2 GA2 - targeted by malware

Davide del Vecchio, modified 5 Years ago.
Liferay 7.1.2 GA2 - targeted by malware
Junior Member Posts: 27 Join Date: 9/5/19 Recent Posts
Hello,the server where the portal is running is getting targeted by a cryptocurrency malware (should I share the name?).
Can someone help me?What can I do to prevent this, where can I look?
Upgrading to a more recent version like GA4 can solve the prbolem or should I go with something newer like 7.2 or 7.3?

Please help
thumbnail
Dominik Marks, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Regular Member Posts: 149 Join Date: 8/29/12 Recent Posts
Hello Davide,

if you can you should upgrade to the latest Liferay version. If not, consider updating to the latest GA of 7.1 (which is 7.1.3 GA4) and apply the latest security patches.

The Liferay versions which are affected by the current exploit are mentioned in this blog post: https://liferay.dev/blogs/-/blogs/security-patches-for-liferay-portal-6-2-7-0-and-7-1
 
Also consider my own blog post on how to create binary patches for the source code patches mentioned in the blog post above:  https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches
Davide del Vecchio, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Junior Member Posts: 27 Join Date: 9/5/19 Recent Posts
Thanks for the reply, i'm triying right now to upgrade to 7.1.3 GA4.

"apply the latest security patches"
How is it done?
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Dominik Marks has already posted a link to his post "Creating Liferay Security Binary Patches".
Another way to protect your system is to block access to /api/jsonws completely. Please note that this could affect some functionality e.g. it isn't possible to select categories for content anymore afterwards. But if you don't need that and you have already a reverse proxy in front of Liferay, it is pretty easy to do that.
Davide del Vecchio, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Junior Member Posts: 27 Join Date: 9/5/19 Recent Posts
So updating to GA4 doesn't solve it?
I need to create binary patches too?
Unfortunately I need to use jsonws.
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
Yes. You need to create the binary patches too (or download them from the blogpost, Dominik Marks has provided links in the comments)
Davide del Vecchio, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Junior Member Posts: 27 Join Date: 9/5/19 Recent Posts
Thank you, last question (I hope):
If I use the binary in the comments, what I need to do is  just replace the tomcat and osgi folder?
thumbnail
Dominik Marks, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Regular Member Posts: 149 Join Date: 8/29/12 Recent Posts
Davide del Vecchio:

Thank you, last question (I hope):
If I use the binary in the comments, what I need to do is  just replace the tomcat and osgi folder?

Yes, you just have to unzip the provided patches into your installation, overwriting every file found. The server should be stopped before. Afterwards it is recommended to clear some directories, so that no cached files or cached settings cause problems. That means, clear the following directories (if present):

  • bundles\osgi\state
  • bundles\tomcat-9.0.17\temp
  • bundles\tomcat-9.0.17\work
  • bundles\work
Davide del Vecchio, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Junior Member Posts: 27 Join Date: 9/5/19 Recent Posts
<p>What if I set CORS (for specific IPs that I need) instead of shutting down all the API ?</p>
thumbnail
Christoph Rabel, modified 5 Years ago.
RE: Liferay 7.1.2 GA2 - targeted by malware
Liferay Legend Posts: 1555 Join Date: 9/24/09 Recent Posts
I think, you use the wrong term here. At least for me CORS means "Cross-Origin Resource Sharing". CORS has nothing to do with this.
But allowing only certain IPs to access /api/jsonws should work, since attackers would have to attack from those IPs. Of course, it would still be best to really patch the issue.