Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
Description
Liferay Portal 6.1 contains a remote code execution vulnerability in its JSON Web Services (JSONWS) API. The vulnerability stems from the use of the flexjson library, which permits deserialization of arbitrary Java classes and invocation of setter methods without proper validation. This allows unauthenticated attackers to instantiate malicious objects and execute arbitrary code on the server by sending specially crafted JSON payloads to the JSONWS endpoint.
Remediation
Immediately upgrade Liferay Portal to a patched version that addresses this vulnerability. Consult the official Liferay security advisory (CST-7111) for the specific version that resolves this issue.
If immediate patching is not possible, implement the following temporary mitigations:
1. Restrict access to JSONWS endpoints: Configure your web application firewall or reverse proxy to block external access to /api/jsonws paths, allowing access only from trusted IP addresses or internal networks.
2. Disable JSONWS if not required: If JSON web services are not actively used, disable the JSONWS servlet by adding the following to your portal-ext.properties file:
json.web.service.enabled=false
3. Monitor for exploitation attempts: Review application logs for suspicious POST requests to JSONWS endpoints containing unusual class instantiation patterns or setter method invocations.
4. Apply network segmentation: Ensure the Liferay Portal server is isolated from critical systems to limit the impact of potential compromise.