Vulnerability in Liferay 6.2 CE GA2Vulnerability in Liferay 6.2 CE GA2https://liferay.dev/c/message_boards/find_thread?p_l_id=119785294&threadId=1188343892026-04-03T19:41:29Z2026-04-03T19:41:29ZRE: Vulnerability in Liferay 6.2 CE GA2Fernando Fernandezhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1190640262020-04-29T07:48:28Z2020-04-29T07:48:28ZDominik Marks has an excellent blog article on this: <a href="https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches">https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches</a>Fernando Fernandez2020-04-29T07:48:28ZRE: Vulnerability in Liferay 6.2 CE GA2Alberto Chaparrohttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188927662020-04-09T16:49:35Z2020-04-09T16:49:35ZHi Saurabh,You can access the JSON services by the following URL:<br /><a href="http://localhost:8080/api/jsonws">http://localhost:8080/api/jsonws</a><br /><br />We can't provide the steps to reproduce due to security reasons, contact Support if you have the EE version.<br />I hope this helps.Alberto Chaparro2020-04-09T16:49:35ZRE: Vulnerability in Liferay 6.2 CE GA2Saurabh Khandelwalhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188556262020-04-03T12:13:51Z2020-04-03T12:13:51ZI have add the Patch related to the JSON WebService for "vulnerability CVE-2020-7961" issue in Liferay 6.2 GA2.<br /> How can I test whether issue is resolved? Is there any JSON webservice API request by which i can test. Saurabh Khandelwal2020-04-03T12:13:51ZRE: Vulnerability in Liferay 6.2 CE GA2Christoph Rabelhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188402082020-04-01T08:54:58Z2020-04-01T08:54:58ZI am not sure, which classes are affected.<br />AFAIK the issue can be exploited only through the /api/jsonws/ services. So, what we did, when the issue was revealed, we blocked access to that path on the reverse proxy till we could apply a patch. Please note that this can have some side effects, since some services simple are not available anymore. e.g. categorization/tagging of content wasn't possible anymore afterwards.<br />Then we allowed specific IPs to access that url to allow the editors to do their work.<br />I guess, you could be able to do something similar. If these external IPs do not need any of the affected services (most don't need /api/jsonws), you could simple block access to them from the outside.Christoph Rabel2020-04-01T08:54:58ZRE: Vulnerability in Liferay 6.2 CE GA2Saurabh Khandelwalhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188357362020-03-31T15:04:00Z2020-03-31T15:04:00ZOur Liferay version is Liferay 6.2 GA2 and the patch is available for GA6. So We are planning to check if any of the classes in the below packages (which are used for Webservices) are present in the patch.<br />- portal-impl/src/com/liferay/portal/json/<br />- portal-impl/src/com/liferay/portal/jsonwebservice<br />If a class is present we will have to modify that class as per the changes in the patch.<br />Also in our case the Webservices are accessible only from our select Servers as mentioned below so this could be another level of safety.Saurabh Khandelwal2020-03-31T15:04:00ZRE: Vulnerability in Liferay 6.2 CE GA2Saurabh Khandelwalhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188347612020-03-31T13:06:44Z2020-03-31T13:06:44ZThanks <strong>Olaf Kock</strong> for quick reply.<br />But one thing is, we have restricted our Webservices to specific IPs , So is there any chances of unwanted (outsider IPs) attack through JSON Webservices as mentioned in "vulnerability CVE-2020-7961"<br />And Upgrading to GA6 would be a big task for us!Saurabh Khandelwal2020-03-31T13:06:44ZRE: Vulnerability in Liferay 6.2 CE GA2Olaf Kockhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188316022020-03-31T12:44:26Z2020-03-31T12:44:26Z<div class="quote-title">Saurabh Khandelwal:</div><blockquote><br /># So my Questions are: 1. Should I apply patch for My Liferay 6.2 CE GA2 instance? If Yes then how to apply patch? as the patch is only available for 6.2 GA6.<br />2. And If applied the patch then how to test it?<br /></blockquote>The patch is for GA6, so you can't apply it to GA2. You should upgrade to GA6, then apply the patch. There are more issues (potentially security issues as well(?)) fixed in GA versions, and you should always be on the latest GA. Up until 7.2 typically no new features were introduced in newer GAs, just issues fixed. And often, the release of a new major version also means the end of updates for earlier major versions (with notable exceptions like this patch).<br />An alternative is to look at the patched components, and what changed between GA2 and GA6 to validate if you're in a situation where the patch indeed hits classes that were unchanged between GA2 and 6. But that's never been tested, it's comparable with looking at the changed code, then backporting the change to your version.Olaf Kock2020-03-31T12:44:26ZVulnerability in Liferay 6.2 CE GA2Saurabh Khandelwalhttps://liferay.dev/c/message_boards/find_message?p_l_id=119785294&messageId=1188343882020-03-31T12:39:05Z2020-03-31T12:39:05ZHello All,<br />I'm using Liferay 6.2 CE GA2.I got the notification regarding a vulnerability CVE-2020-7961 could be affected to Liferay System .<br />- Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).<br />With Reference URL:<ul style="list-style: disc outside;"><li><a href="https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271">CONFIRM:https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271</a></li><li><a href="https://portal.liferay.dev/learn/security/known-vulnerabilities">MISC:https://portal.liferay.dev/learn/security/known-vulnerabilities</a></li></ul># So my Questions are: <br />1. Should I apply patch for My Liferay 6.2 CE GA2 instance? If Yes then how to apply patch? as the patch is only available for 6.2 GA6.<br />[<a href="https://github.com/community-security-team/liferay-portal/compare/6.2.5-ga6...6.2.5-cumulative.patch">https://github.com/community-security-team/liferay-portal/compare/6.2.5-ga6...6.2.5-cumulative.patch</a>]<br />2. And If applied the patch then how to test it?Saurabh Khandelwal2020-03-31T12:39:05Z