A few weeks ago, our support received an alert on high sustained load for a customer’s portal. After the initial investigation, we found a suspicious process running under the same user as the customer’s web application process indicating that the cause of the breach was most likely Liferay portal related.

After some digging in the log files of Liferay, it turned out that there were multiple messages indicating serialization errors. In the CVE-database, we found CVE-2020-7961. This one vulnerability was used to execute arbitrary code (in this case a crypto miner) via JSON web services (JSONWS) on deserialization of untrusted data.

Older, unpatched Liferay CE  instances are vulnerable and also some unpatched Liferay DXP instances may be vulnerable.

Scope and mitigations

As the process of the crypto miner runs as the same user as the web application, it potentially has access to the data of the application. This includes the files stored in the document and media library of the application. It also potentially has access to the database of the web application.

We did not find any evidence that the crypto miner processes accessed, transferred or compromised any of the application data. From what we’ve seen it looks like the vulnerability in Liferay Portal is only used to run a crypto mining process

Symptoms

If one or more of the following tests positive, your server/container may be infected:

  • Sudden high load on the servers/containers running your Liferay instance.
  • Oddly named processes running as the same user your portal is running from.
  • Outgoing connections to port 7777 at remotely located servers.
  • Oddly named files in the /tmp folder.

Mitigations Actions

  1. Block access to the applications JSON web services (JSONWS). Set the following portal property to false:
     json.web.service.enabled=true
  2. Kill and remove crypto mining processes.
  3. Apply the security patch for your version of Liferay.

Attention! The applied mitigations may lead to some functionality loss for some specific use cases.

 

Firelay recommendation

If you’re running a version of Liferay Portal prior to version 7.2.1 CE GA2, your application is vulnerable. It’s essential to patch your Liferay Portal as quickly as possible. Below, we’ve provided a few links to get you into the right direction.

    Instructions on how to patch:

    1. Liferay EE/DXP instructions.
    2. Liferay CE instructions.

        

    Need assistance?

    Feel free to reach out to lex@firelay.com if you have any questions related to this issue.