Description
Liferay TunnelServlet is vulnerable to deserialization attacks and, due to incorrect configuration, is accessible to an attacker (by default, it is restricted to localhost only). Depending on exact version of Liferay Portal, an attacker could exploit this vulnerability using specially-crafted serialized data to execute arbitrary code on the system or to perform denial of service attack.
Remediation
Restrict access to the vulnerable endpoints.
References
Related Vulnerabilities
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)
WordPress Plugin Advanced Access Manager Arbitrary Code Execution (2.8.2)
Apache Shiro Deserialization RCE
WordPress Plugin Social Media Tab Remote Code Execution (1.0.9)
WordPress Plugin Product Table by WBW Remote Code Execution (2.0.1)