Unauthenticated Remote Code Execution via JSONWS in Liferay 7.2.0 CE GA1
Description
Liferay Portal 7.2.0 CE GA1 contains an unauthenticated remote code execution vulnerability in its JSON Web Services (JSONWS) API. The vulnerability exists in the JSONWebServiceActionParametersMap class, which improperly allows attackers to instantiate arbitrary Java classes and invoke their setter methods without authentication. This design flaw enables attackers to execute arbitrary code on the server by crafting malicious JSONWS requests.
Remediation
Immediately upgrade to a patched version of Liferay Portal or apply the appropriate source patch for your version:
Liferay Portal 7.2: Upgrade to Liferay Portal 7.2 CE GA2 (version 7.2.1) or later. No patch is available for version 7.2.0.
Liferay Portal 7.1: Apply the source patch available on GitHub for Liferay Portal 7.1 GA4 (version 7.1.3). Refer to the official Liferay documentation on Patching Liferay Portal for instructions on applying source patches.
Liferay Portal 7.0: Apply the source patch available on GitHub for Liferay Portal 7.0 GA7 (version 7.0.6). Refer to the official Liferay documentation on Patching Liferay Portal for instructions on applying source patches.
Liferay Portal 6.2: Apply the source patch available on GitHub for Liferay Portal 6.2 GA6 (version 6.2.5). Refer to the official Liferay documentation on Patching Liferay Portal for instructions on applying source patches.
Temporary Mitigation: If immediate patching is not possible, consider restricting network access to the JSONWS API endpoints (/api/jsonws) using firewall rules or web application firewall (WAF) policies to trusted IP addresses only. However, this is only a temporary measure and does not replace the need for patching.