-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 6.1 EE GA1 (6.1.10), 6.1 EE GA2 (6.1.20), 6.1 EE GA3 (6.1.30), 6.2 EE GA1 (6.2.10), 7.0 DE (7.0.10), 7.1 DXP (7.1.10)
-
Component/s: Core Infrastructure, Security Vulnerability
-
Fix Pack Status:Scheduled
-
Business Value:5
-
7.0 Fix Pack Version:65
-
7.1 Fix Pack Version:3
Liferay DXP 7.1, DXP 7.0, Portal 6.2 EE and Portal 6.1 EE is vulnerable to remote code execution via deserialization of JSON data.
See also https://help.liferay.com/hc/en-us/articles/360020526952.
Mitigation Notes
The following portal property ("json.deserialization.whitelist.class.names") has been added to control which classes are allowed to be deserialized from a JSON request.
You may need to list your custom classes in case you see a similar WARN message in the server log indicating that the deserialization was rejected:
WARN [http-bio-6111-exec-7][LiferayJSONDeserializationWhitelist:56] Unable to deserialize com.my.Class due to security restrictions
- DXP:
# # Input a list of comma delimited class names that can be deserialized using # JSONFactory. # # Env: LIFERAY_JSON_PERIOD_DESERIALIZATION_PERIOD_WHITELIST_PERIOD_CLASS_PERIOD_NAMES # json.deserialization.whitelist.class.names=\ com.liferay.portal.kernel.cal.DayAndPosition,\ com.liferay.portal.kernel.cal.Duration,\ com.liferay.portal.kernel.cal.TZSRecurrence,\ com.liferay.portal.kernel.messaging.Message,\ com.liferay.portal.kernel.model.PortletPreferencesIds,\ com.liferay.portal.kernel.security.auth.HttpPrincipal,\ com.liferay.portal.kernel.service.permission.ModelPermissions,\ com.liferay.portal.kernel.service.ServiceContext,\ com.liferay.portal.kernel.util.LongWrapper,\ com.liferay.portlet.messageboards.messaging.MailingListRequest,\ java.util.GregorianCalendar,\ java.util.Locale,\ java.util.TimeZone,\ sun.util.calendar.ZoneInfo
- 6.x:
# # Input a list of comma delimited class names that can be deserialized using # JSONFactory. # json.deserialization.whitelist.class.names=\ com.liferay.portal.kernel.cal.DayAndPosition,\ com.liferay.portal.kernel.cal.Duration,\ com.liferay.portal.kernel.cal.TZSRecurrence,\ com.liferay.portal.kernel.messaging.Message,\ com.liferay.portal.kernel.scheduler.messaging.ReceiverKey,\ com.liferay.portal.kernel.util.LongWrapper,\ com.liferay.portal.lar.PortletDataContextImpl,\ com.liferay.portal.messaging.LayoutsLocalPublisherRequest,\ com.liferay.portal.messaging.LayoutsRemotePublisherRequest,\ com.liferay.portal.model.PortletPreferencesIds,\ com.liferay.portal.security.auth.HttpPrincipal,\ com.liferay.portal.service.ServiceContext,\ com.liferay.portlet.messageboards.messaging.MailingListRequest,\ java.util.GregorianCalendar,\ java.util.Locale,\ java.util.TimeZone,\ sun.util.calendar.ZoneInfo