Description

A remote code execution vulnerability exists in Liferay Portal 7.2.0 that can be exploited via JSON web services (JSONWS).

The JSONWebServiceActionParametersMap of Liferay Portal allows the instantiation of arbitrary classes and invocation of arbitrary setter methods.

Remediation

Upgrade to the latest version of Liferay Portal.

Liferay Portal 7.2: There is no patch available for Liferay Portal 7.2.0. Instead, users should upgrade to Liferay Portal 7.2 CE GA2 (7.2.1) or later.

Liferay Portal 7.1: Source patch for Liferay Portal 7.1 GA4 (7.1.3) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

Liferay Portal 7.0: Source patch for Liferay Portal 7.0 GA7 (7.0.6) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

Liferay Portal 6.2: Source patch for Liferay Portal 6.2 GA6 (6.2.5) is available on GitHub. Details for working with source patches can be found on the Patching Liferay Portal page.

References

Liferay Portal JSON Web Service RCE Vulnerabilities

CST-7205 Unauthenticated Remote code execution via JSONWS

Related Vulnerabilities

WordPress Plugin Analytics Remote Code Execution (1.7)

WordPress Plugin WordPress WP-Advanced-Search Remote Code Execution (3.3.3)

Telerik Web UI Unrestricted File Upload (CVE-2017-11317)

WordPress 2.0.2 Username Remote PHP Code Injection Vulnerability (0.6.2 - 2.0.2)

WordPress Plugin WishList Member X Remote Code Execution (3.25.1)

Severity

High

Classification

CVE-2020-0618 CVE-2020-7961 CWE-78 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor