Uploaded image for project: 'PUBLIC - Liferay Portal Enterprise Edition'
  1. PUBLIC - Liferay Portal Enterprise Edition
  2. LPE-16497

LSV-412: Registered User RCE using JSON Deserialization

    Details

    • Fix Pack Status:
      Scheduled
    • Business Value:
      5
    • 7.0 Fix Pack Version:
      65
    • 7.1 Fix Pack Version:
      3

      Description

      Liferay DXP 7.1, DXP 7.0, Portal 6.2 EE and Portal 6.1 EE is vulnerable to remote code execution via deserialization of JSON data.

      See also https://help.liferay.com/hc/en-us/articles/360020526952.

      Mitigation Notes

      The following portal property ("json.deserialization.whitelist.class.names") has been added to control which classes are allowed to be deserialized from a JSON request.

      You may need to list your custom classes in case you see a similar WARN message in the server log indicating that the deserialization was rejected:

      WARN  [http-bio-6111-exec-7][LiferayJSONDeserializationWhitelist:56] Unable to deserialize com.my.Class due to security restrictions
      
      • DXP:
            #
            # Input a list of comma delimited class names that can be deserialized using
            # JSONFactory.
            #
            # Env: LIFERAY_JSON_PERIOD_DESERIALIZATION_PERIOD_WHITELIST_PERIOD_CLASS_PERIOD_NAMES
            #
            json.deserialization.whitelist.class.names=\
                com.liferay.portal.kernel.cal.DayAndPosition,\
                com.liferay.portal.kernel.cal.Duration,\
                com.liferay.portal.kernel.cal.TZSRecurrence,\
                com.liferay.portal.kernel.messaging.Message,\
                com.liferay.portal.kernel.model.PortletPreferencesIds,\
                com.liferay.portal.kernel.security.auth.HttpPrincipal,\
                com.liferay.portal.kernel.service.permission.ModelPermissions,\
                com.liferay.portal.kernel.service.ServiceContext,\
                com.liferay.portal.kernel.util.LongWrapper,\
                com.liferay.portlet.messageboards.messaging.MailingListRequest,\
                java.util.GregorianCalendar,\
                java.util.Locale,\
                java.util.TimeZone,\
                sun.util.calendar.ZoneInfo
        
      • 6.x:
            #
            # Input a list of comma delimited class names that can be deserialized using
            # JSONFactory.
            #
            json.deserialization.whitelist.class.names=\
                com.liferay.portal.kernel.cal.DayAndPosition,\
                com.liferay.portal.kernel.cal.Duration,\
                com.liferay.portal.kernel.cal.TZSRecurrence,\
                com.liferay.portal.kernel.messaging.Message,\
                com.liferay.portal.kernel.scheduler.messaging.ReceiverKey,\
                com.liferay.portal.kernel.util.LongWrapper,\
                com.liferay.portal.lar.PortletDataContextImpl,\
                com.liferay.portal.messaging.LayoutsLocalPublisherRequest,\
                com.liferay.portal.messaging.LayoutsRemotePublisherRequest,\
                com.liferay.portal.model.PortletPreferencesIds,\
                com.liferay.portal.security.auth.HttpPrincipal,\
                com.liferay.portal.service.ServiceContext,\
                com.liferay.portlet.messageboards.messaging.MailingListRequest,\
                java.util.GregorianCalendar,\
                java.util.Locale,\
                java.util.TimeZone,\
                sun.util.calendar.ZoneInfo
        

        Attachments

          Activity

            People

            • Assignee:
              joshua.cords Joshua Cords
              Reporter:
              tibor.lipusz Tibor Lipusz
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                6.1.X EE
                6.2.X EE
                7.0.X EE
                7.1.x EE