Liferay XMLRPC Blind SSRF
Description
The Liferay XMLRPC servlet contains a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated remote attackers to make the server initiate HTTP requests to arbitrary internal or external resources. This blind SSRF occurs when the servlet processes specially crafted XMLRPC requests without properly validating or restricting the destination URLs, enabling attackers to probe internal network infrastructure, bypass firewall restrictions, and interact with services that should not be publicly accessible.
Remediation
Immediately restrict or disable access to the Liferay XMLRPC servlet if it is not required for business operations. If the servlet must remain accessible, implement the following mitigations:
1. Network-level restrictions: Configure firewall rules or web application firewall (WAF) policies to block access to the XMLRPC endpoint (/api/xmlrpc or similar paths) from untrusted networks.
2. Application-level controls: Implement a whitelist of allowed destination hosts and protocols within the XMLRPC handler. Reject requests attempting to access private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), link-local addresses (169.254.0.0/16), and cloud metadata endpoints (169.254.169.254).
3. Upgrade Liferay: Update to the latest patched version of Liferay that addresses this SSRF vulnerability.
4. Authentication requirements: If the XMLRPC endpoint must remain enabled, enforce authentication and authorization controls to limit access to trusted users only.
5. Monitoring: Implement logging and monitoring for all XMLRPC requests to detect potential exploitation attempts.