Skip to main content
CVE Vulnerability Database

CVE-2020-7961: Liferay Portal RCE Vulnerability

CVE-2020-7961 is a deserialization of untrusted data vulnerability in Liferay Portal that enables remote code execution via JSON web services. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2020-7961 Overview

CVE-2020-7961 is a critical insecure deserialization vulnerability affecting Liferay Portal prior to version 7.2.1 CE GA2. This vulnerability allows remote attackers to execute arbitrary code via JSON web services (JSONWS) by exploiting the unsafe deserialization of untrusted data. The flaw exists in the way Liferay Portal handles Java object deserialization through its JSONWS API endpoints, enabling unauthenticated attackers to achieve complete system compromise.

Critical Impact

This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. Unauthenticated attackers can achieve remote code execution with no user interaction required, potentially leading to complete server takeover.

Affected Products

  • Liferay Portal Community Edition prior to 7.2.1 CE GA2
  • Liferay Portal versions with exposed JSONWS endpoints

Discovery Timeline

  • 2020-03-20 - CVE-2020-7961 published to NVD
  • 2025-11-07 - Last updated in NVD database

Technical Details for CVE-2020-7961

Vulnerability Analysis

This vulnerability stems from insecure deserialization practices within Liferay Portal's JSON Web Services (JSONWS) implementation. JSONWS is a powerful API framework in Liferay that exposes various service endpoints for remote procedure calls. The vulnerability occurs when the application deserializes Java objects from untrusted input without proper validation or filtering.

When processing incoming JSONWS requests, Liferay Portal fails to adequately validate serialized Java objects before deserialization. This allows attackers to craft malicious serialized payloads containing gadget chains that execute arbitrary code upon deserialization. The attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for internet-facing Liferay installations.

According to Checkpoint Research Analysis, this vulnerability has been leveraged by threat actors for botnet creation, demonstrating its real-world exploitation in malicious campaigns.

Root Cause

The root cause is classified as CWE-502: Deserialization of Untrusted Data. Liferay Portal's JSONWS service improperly deserializes user-controlled input without implementing safeguards such as:

  • Whitelisting allowed classes for deserialization
  • Input validation before deserialization
  • Sandboxed deserialization environments

The Java unmarshalling process trusts incoming serialized data, allowing attackers to inject malicious objects that trigger code execution when the readObject() method processes the payload.

Attack Vector

The attack is conducted over the network targeting the JSONWS API endpoints. Attackers craft malicious JSON requests containing serialized Java objects with carefully constructed gadget chains. Common exploitation techniques leverage well-known Java deserialization gadget chains to achieve remote code execution.

The exploitation flow involves:

  1. Identifying an accessible Liferay Portal instance with JSONWS enabled
  2. Crafting a malicious serialized payload using Java gadget chains
  3. Sending the payload to vulnerable JSONWS endpoints
  4. The server deserializes the malicious object, triggering arbitrary code execution

Detailed exploitation techniques are documented in the Packet Storm RCE Exploit resources.

Detection Methods for CVE-2020-7961

Indicators of Compromise

  • Unusual or malformed requests to /api/jsonws/* endpoints containing serialized Java objects
  • Suspicious process spawning from Java/Tomcat processes such as shell execution or reverse shell connections
  • Network connections to unknown external hosts originating from the Liferay application server
  • Presence of known Java deserialization gadget chain signatures in request payloads

Detection Strategies

  • Deploy Web Application Firewall (WAF) rules to detect and block Java deserialization attack patterns in HTTP requests
  • Monitor JSONWS API endpoint access logs for anomalous request patterns and oversized payloads
  • Implement runtime application self-protection (RASP) to detect deserialization attacks
  • Use network intrusion detection systems (IDS) with signatures for known deserialization exploitation techniques

Monitoring Recommendations

  • Enable verbose logging for Liferay Portal's JSONWS service and review logs for suspicious activity
  • Monitor for unexpected outbound network connections from the application server
  • Implement file integrity monitoring on Liferay installation directories to detect unauthorized modifications
  • Alert on new user account creation or privilege escalation events that may indicate post-exploitation activity

How to Mitigate CVE-2020-7961

Immediate Actions Required

  • Upgrade Liferay Portal to version 7.2.1 CE GA2 or later immediately
  • If immediate patching is not possible, disable or restrict access to JSONWS endpoints
  • Implement network segmentation to limit exposure of vulnerable Liferay instances
  • Review system logs for indicators of compromise before and after patching

Patch Information

Liferay has addressed this vulnerability in version 7.2.1 CE GA2 and later releases. Organizations should consult the Liferay Known Vulnerabilities page for official security advisories and the Liferay Vulnerability Detail for specific guidance on remediation.

Given this vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, federal agencies and critical infrastructure organizations have mandated remediation timelines.

Workarounds

  • Disable JSONWS endpoints entirely if they are not required for business operations
  • Implement strict IP-based access controls to limit JSONWS access to trusted internal networks only
  • Deploy a reverse proxy or WAF in front of Liferay to filter malicious deserialization payloads
  • Configure Java deserialization filters using ObjectInputFilter to block dangerous classes
bash
# Example: Restrict access to JSONWS via Apache configuration
<Location "/api/jsonws">
    Order deny,allow
    Deny from all
    Allow from 10.0.0.0/8
    Allow from 192.168.0.0/16
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.