Liferay TunnelServlet Deserialization Remote Code Execution
Description
Liferay Portal contains a deserialization vulnerability in the TunnelServlet component that allows unauthenticated remote attackers to execute arbitrary code. While TunnelServlet is normally restricted to localhost connections only, misconfigurations can expose this endpoint to external networks. When accessible, attackers can send malicious serialized Java objects that are deserialized without proper validation, leading to remote code execution or denial of service depending on the Liferay Portal version deployed.
Remediation
Take the following steps to remediate this vulnerability:<br/><br/><strong>1. Verify TunnelServlet Access Restrictions</strong><br/>Ensure that TunnelServlet is only accessible from localhost by reviewing your web.xml or portal configuration. The servlet should be bound to 127.0.0.1 only.<br/><br/><strong>2. Apply Network-Level Controls</strong><br/>Configure firewall rules or web application firewall (WAF) policies to block external access to the /api/liferay/do endpoint path.<br/><br/><strong>3. Update Liferay Portal</strong><br/>Upgrade to a patched version of Liferay Portal that addresses this deserialization vulnerability. Consult Liferay's security advisories (LPE-15538) for the appropriate version for your deployment.<br/><br/><strong>4. Implement Deserialization Filters</strong><br/>If immediate patching is not possible, implement Java deserialization filters to whitelist only expected classes:<br/><pre>// Example ObjectInputStream filter configuration ObjectInputFilter filter = ObjectInputFilter.Config.createFilter( "your.trusted.package.*;!*" ); ObjectInputStream ois = new ObjectInputStream(inputStream); ois.setObjectInputFilter(filter);</pre><br/><strong>5. Monitor for Exploitation Attempts</strong><br/>Enable logging for the TunnelServlet endpoint and monitor for suspicious deserialization activity or unexpected DNS queries to external domains.