CVE-2024-25607 Overview
CVE-2024-25607 affects Liferay Portal and Liferay Digital Experience Platform (DXP). The default password hashing algorithm PBKDF2-HMAC-SHA1 is configured with a low work factor (iteration count). Attackers who obtain the password hash database can crack credentials significantly faster than expected for a modern key derivation function. The weakness is classified as [CWE-916: Use of Password Hash With Insufficient Computational Effort].
Affected versions include Liferay Portal 7.2.0 through 7.4.3.15, Liferay DXP 7.4 before update 16, Liferay DXP 7.3 before update 4, Liferay DXP 7.2 before fix pack 17, and older unsupported releases.
Critical Impact
Attackers with access to stored password hashes can rapidly recover plaintext passwords through offline brute-force or dictionary attacks, enabling account takeover and lateral movement.
Affected Products
- Liferay Portal 7.2.0 through 7.4.3.15 (and older unsupported versions)
- Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17
- Liferay Digital Experience Platform 7.2, 7.3, and 7.4 release branches
Discovery Timeline
- 2024-02-20 - CVE-2024-25607 published to NVD
- 2024-12-11 - Last updated in NVD database
Technical Details for CVE-2024-25607
Vulnerability Analysis
The vulnerability stems from how Liferay Portal stores user passwords. Liferay applies PBKDF2-HMAC-SHA1 as its default password-based key derivation function. PBKDF2 derives strength from its iteration count, which determines how much computational effort an attacker must spend per password guess.
Liferay's default configuration selects a low work factor. The chosen iteration count does not align with current OWASP guidance, which recommends hundreds of thousands of PBKDF2-HMAC-SHA1 iterations to slow modern GPU and ASIC hardware. A weak work factor leaves password hashes within range of large-scale offline cracking attempts.
Exploitation is not a network exploit on its own. An attacker first needs read access to the User_ table or a database backup containing the stored hashes. After acquiring hashes, the attacker performs offline guessing using tools such as hashcat or John the Ripper. Recovered plaintext passwords enable authenticated access to the portal and any federated systems sharing credentials. The EPSS score remains low, but the impact on credential confidentiality is severe.
Root Cause
Liferay shipped with a default passwords.encryption.algorithm configuration that uses PBKDF2WithHmacSHA1 with an insufficient iteration count. The setting prioritizes performance over resistance to offline cracking. Administrators who never customized the algorithm inherited the weak default.
Attack Vector
The attack vector is network-adjacent because it presumes the attacker has already obtained the hash material through a separate flaw such as SQL injection, an exposed backup, an insider with database access, or a secondary breach. Once the hashes are exfiltrated, cracking occurs offline and at the attacker's pace. No interaction with the Liferay instance is required during the cracking phase.
No public proof-of-concept code is required to exploit this weakness. The flaw is a misconfiguration of cryptographic parameters rather than a memory or logic bug. Refer to the Liferay Known Vulnerability advisory for CVE-2024-25607 for vendor technical details.
Detection Methods for CVE-2024-25607
Indicators of Compromise
- Unexpected reads or exports against the User_ table or portal-ext.properties file containing hashed credentials.
- Successful logins for service or administrator accounts from unfamiliar IP addresses following a database access event.
- Database backup files appearing on shared storage, removable media, or outbound network transfers.
Detection Strategies
- Inventory all Liferay Portal and DXP deployments and verify the configured value of passwords.encryption.algorithm in portal-ext.properties.
- Audit the password hash format stored in User_.password_. Hashes prefixed with PBKDF2_ and a low iteration count signal exposure.
- Review database access logs for queries selecting password columns by non-application accounts.
Monitoring Recommendations
- Alert on bulk reads of the Liferay user table outside of approved maintenance windows.
- Monitor authentication telemetry for credential stuffing patterns that may indicate successfully cracked accounts.
- Track configuration drift on portal-ext.properties and related Liferay deployment files using file integrity monitoring.
How to Mitigate CVE-2024-25607
Immediate Actions Required
- Upgrade Liferay DXP to 7.4 update 16, 7.3 update 4, or 7.2 fix pack 17 or later. Upgrade Liferay Portal to a release beyond 7.4.3.15.
- Reconfigure passwords.encryption.algorithm in portal-ext.properties to use a stronger algorithm and higher iteration count as recommended by Liferay.
- Force a password reset for privileged users after upgrading to ensure hashes are regenerated under the stronger parameters.
Patch Information
Liferay addressed the issue by updating the default password hashing parameters. Apply Liferay DXP 7.4 update 16, 7.3 update 4, 7.2 fix pack 17, or any newer release. Liferay Portal users should move to a patched build above 7.4.3.15. Consult the Liferay security advisory for the full list of fixed releases.
Workarounds
- Manually override passwords.encryption.algorithm to PBKDF2WithHmacSHA1/720000 or a stronger configuration accepted by your Liferay version.
- Restrict database access to the Liferay application account only and isolate the database server on a dedicated network segment.
- Enforce multi-factor authentication on all administrator and privileged accounts to limit the value of a cracked password.
# Configuration example for portal-ext.properties
passwords.encryption.algorithm=PBKDF2WithHmacSHA1/720000
passwords.encryption.algorithm.legacy=PBKDF2WithHmacSHA1/160000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
