High
Liferay CE 6.0.2 Java Deserialization
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
High
(1 user assessed)
Moderate
(1 user assessed)Unknown
Unknown
Unknown
Liferay CE 6.0.2 Java Deserialization
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Liferay CE 6.0.2 remote code execution via unsafe deserialization
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityMedium
Technical Analysis
on 29th of january 2020 this github[1] repo came up, with some newsfeed, speakin about a RCE via deserialization on Liferay 6.0.2
i’m aware that liferay is widely used to build both internal and internet-facing webapp, and a possible preauth RCE would be awesome.
actually i don’t remember which post i read first, because github repo doesn’t speak about any version, but i’m sure i’ve read somewhere 6.0.2: also exploit-db speaks about 6.0.2, if my memory plays tricks on me, i’m not alone.
from the very low info we see at said github repo, we understand that the vulnerability is at /api/liferay which is NOT present in 6.0.2, nor on the filesystem neither on configuration as route.
testing a more recent version, i saw that 6.1 branch actually has /api/liferay but by default it’s limited to “localhost”.
it could be possible to open it to more IPs of course, but i don’t see it happen so frequently to have a 0.0.0.0 as trusted host.
i think this vulnerability doesn’t affect 6.0 branch, it could affect 6.1 branch but not on default configuration.
plus, it’s not yet clear if this is pre-auth or post-auth.
i’ll dig newer branches as soon as i can.
p.s.: exploitability is rated against a possible 6.1, and the fact that ysoserial makes java deserialization quite easy.
[1] https://github.com/chakadev/Liferay-CE-Portal-Java-Deserialization
20200329 edit:
lowering value, adding required auth
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
looks like there is some update here:
https://sec.vnpt.vn/2019/09/liferay-deserialization-json-deserialization-part-4/
and also https://www.cvedetails.com/cve/CVE-2019-16891/
author states that every minor of 6 is vulnerable, so 6.0 6.1 and 6.2 and 7 is not, but to me CVE speaks different
still, i should find time to dig more!