Message Boards
Vulnerability in Liferay 6.2 CE GA2
Saurabh Khandelwal, modified 4 Years ago.
Vulnerability in Liferay 6.2 CE GA2
New Member Posts: 14 Join Date: 1/18/19 Recent Posts
Hello All,
I'm using Liferay 6.2 CE GA2.I got the notification regarding a vulnerability CVE-2020-7961 could be affected to Liferay System .
- Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
With Reference URL:
1. Should I apply patch for My Liferay 6.2 CE GA2 instance? If Yes then how to apply patch? as the patch is only available for 6.2 GA6.
[https://github.com/community-security-team/liferay-portal/compare/6.2.5-ga6...6.2.5-cumulative.patch]
2. And If applied the patch then how to test it?
I'm using Liferay 6.2 CE GA2.I got the notification regarding a vulnerability CVE-2020-7961 could be affected to Liferay System .
- Deserialization of Untrusted Data in Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
With Reference URL:
- CONFIRM:https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
- MISC:https://portal.liferay.dev/learn/security/known-vulnerabilities
1. Should I apply patch for My Liferay 6.2 CE GA2 instance? If Yes then how to apply patch? as the patch is only available for 6.2 GA6.
[https://github.com/community-security-team/liferay-portal/compare/6.2.5-ga6...6.2.5-cumulative.patch]
2. And If applied the patch then how to test it?
Olaf Kock, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
Liferay Legend Posts: 6403 Join Date: 9/23/08 Recent PostsSaurabh Khandelwal:
The patch is for GA6, so you can't apply it to GA2. You should upgrade to GA6, then apply the patch. There are more issues (potentially security issues as well(?)) fixed in GA versions, and you should always be on the latest GA. Up until 7.2 typically no new features were introduced in newer GAs, just issues fixed. And often, the release of a new major version also means the end of updates for earlier major versions (with notable exceptions like this patch).
# So my Questions are: 1. Should I apply patch for My Liferay 6.2 CE GA2 instance? If Yes then how to apply patch? as the patch is only available for 6.2 GA6.
2. And If applied the patch then how to test it?
An alternative is to look at the patched components, and what changed between GA2 and GA6 to validate if you're in a situation where the patch indeed hits classes that were unchanged between GA2 and 6. But that's never been tested, it's comparable with looking at the changed code, then backporting the change to your version.
Saurabh Khandelwal, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
New Member Posts: 14 Join Date: 1/18/19 Recent Posts
Thanks Olaf Kock for quick reply.
But one thing is, we have restricted our Webservices to specific IPs , So is there any chances of unwanted (outsider IPs) attack through JSON Webservices as mentioned in "vulnerability CVE-2020-7961"
And Upgrading to GA6 would be a big task for us!
But one thing is, we have restricted our Webservices to specific IPs , So is there any chances of unwanted (outsider IPs) attack through JSON Webservices as mentioned in "vulnerability CVE-2020-7961"
And Upgrading to GA6 would be a big task for us!
Saurabh Khandelwal, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
New Member Posts: 14 Join Date: 1/18/19 Recent Posts
Our Liferay version is Liferay 6.2 GA2 and the patch is available for GA6. So We are planning to check if any of the classes in the below packages (which are used for Webservices) are present in the patch.
- portal-impl/src/com/liferay/portal/json/
- portal-impl/src/com/liferay/portal/jsonwebservice
If a class is present we will have to modify that class as per the changes in the patch.
Also in our case the Webservices are accessible only from our select Servers as mentioned below so this could be another level of safety.
- portal-impl/src/com/liferay/portal/json/
- portal-impl/src/com/liferay/portal/jsonwebservice
If a class is present we will have to modify that class as per the changes in the patch.
Also in our case the Webservices are accessible only from our select Servers as mentioned below so this could be another level of safety.
Christoph Rabel, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
Liferay Legend Posts: 1554 Join Date: 9/24/09 Recent Posts
I am not sure, which classes are affected.
AFAIK the issue can be exploited only through the /api/jsonws/ services. So, what we did, when the issue was revealed, we blocked access to that path on the reverse proxy till we could apply a patch. Please note that this can have some side effects, since some services simple are not available anymore. e.g. categorization/tagging of content wasn't possible anymore afterwards.
Then we allowed specific IPs to access that url to allow the editors to do their work.
I guess, you could be able to do something similar. If these external IPs do not need any of the affected services (most don't need /api/jsonws), you could simple block access to them from the outside.
AFAIK the issue can be exploited only through the /api/jsonws/ services. So, what we did, when the issue was revealed, we blocked access to that path on the reverse proxy till we could apply a patch. Please note that this can have some side effects, since some services simple are not available anymore. e.g. categorization/tagging of content wasn't possible anymore afterwards.
Then we allowed specific IPs to access that url to allow the editors to do their work.
I guess, you could be able to do something similar. If these external IPs do not need any of the affected services (most don't need /api/jsonws), you could simple block access to them from the outside.
Saurabh Khandelwal, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
New Member Posts: 14 Join Date: 1/18/19 Recent Posts
I have add the Patch related to the JSON WebService for "vulnerability CVE-2020-7961" issue in Liferay 6.2 GA2.
How can I test whether issue is resolved? Is there any JSON webservice API request by which i can test.
How can I test whether issue is resolved? Is there any JSON webservice API request by which i can test.
Alberto Chaparro Terleira, modified 4 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
Liferay Master Posts: 549 Join Date: 4/25/11 Recent Posts
Hi Saurabh,You can access the JSON services by the following URL:
http://localhost:8080/api/jsonws
We can't provide the steps to reproduce due to security reasons, contact Support if you have the EE version.
I hope this helps.
http://localhost:8080/api/jsonws
We can't provide the steps to reproduce due to security reasons, contact Support if you have the EE version.
I hope this helps.
Fernando Fernandez, modified 3 Years ago.
RE: Vulnerability in Liferay 6.2 CE GA2
Expert Posts: 396 Join Date: 8/22/07 Recent Posts
Dominik Marks has an excellent blog article on this: https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches