A few weeks ago, our support received an alert on high sustained load for a customer’s portal. After the initial investigation, we found a suspicious process running under the same user as the customer’s web application process indicating that the cause of the breach was most likely Liferay portal related.
After some digging in the log files of Liferay, it turned out that there were multiple messages indicating serialization errors. In the CVE-database, we found CVE-2020-7961. This one vulnerability was used to execute arbitrary code (in this case a crypto miner) via JSON web services (JSONWS) on deserialization of untrusted data.
Older, unpatched Liferay CE instances are vulnerable and also some unpatched Liferay DXP instances may be vulnerable. Below we’ve provided a quick overview of the symptoms and how to tackle this issue.
Scope and mitigations of CVE-2020-7961
As the process of the crypto miner runs as the same user as the web application, it potentially has access to the data of the application. This includes the files stored in the document and media library of the application. It also potentially has access to the database of the web application.
We did not find any evidence that the crypto miner processes accessed, transferred or compromised any of the application data. From what we’ve seen it looks like the vulnerability in Liferay Portal is only used to run a crypto mining process
If one or more of the following tests positive, your server/container may be infected:
- Sudden high load on the servers/containers running your Liferay instance.
- Oddly named processes running as the same user your portal is running from.
- Outgoing connections to port 7777 at remotely located servers.
- Oddly named files in the /tmp folder.
- Block access to the applications JSON web services (JSONWS). Set the following portal property to false:
- Kill and remove crypto mining processes.
- Apply the latest security patch for your version of Liferay.
Attention! The applied mitigations may lead to some functionality loss for some specific use cases.
If you’re running a version of Liferay Portal prior to version 7.2.1 CE GA2, your application is vulnerable. It’s essential to patch your Liferay Portal as quickly as possible. Liferay is already aware of this vulnerability and has solved this issue in their latest patch. Below, we’ve provided a few links to get you into the right direction.